Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4EBE6@3.exe

Overview

General Information

Sample Name:4EBE6@3.exe
Analysis ID:679195
MD5:ade71491b076ca7a43effaf0214dd030
SHA1:75623647a35d7bfbfc0df5dfc24646c8d53367d1
SHA256:81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Drops executable to a common third party application directory
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 4EBE6@3.exe (PID: 400 cmdline: "C:\Users\user\Desktop\4EBE6@3.exe" MD5: ADE71491B076CA7A43EFFAF0214DD030)
    • noise.exe (PID: 1600 cmdline: "C:\Users\user\AppData\Local\Temp\noise.exe" MD5: ADE71491B076CA7A43EFFAF0214DD030)
      • InstallUtil.exe (PID: 6036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • Acrobat.exe (PID: 4876 cmdline: "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe" MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
SourceRuleDescriptionAuthorStrings
00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x65a3a:$a13: get_DnsResolver
      • 0x9a32a:$a13: get_DnsResolver
      • 0xcec0a:$a13: get_DnsResolver
      • 0x6421e:$a20: get_LastAccessed
      • 0x98b0e:$a20: get_LastAccessed
      • 0xcd3ee:$a20: get_LastAccessed
      • 0x663cc:$a27: set_InternalServerPort
      • 0x9acbc:$a27: set_InternalServerPort
      • 0xcf59c:$a27: set_InternalServerPort
      • 0x666e8:$a30: set_GuidMasterKey
      • 0x9afd8:$a30: set_GuidMasterKey
      • 0xcf8b8:$a30: set_GuidMasterKey
      • 0x64325:$a33: get_Clipboard
      • 0x98c15:$a33: get_Clipboard
      • 0xcd4f5:$a33: get_Clipboard
      • 0x64333:$a34: get_Keyboard
      • 0x98c23:$a34: get_Keyboard
      • 0xcd503:$a34: get_Keyboard
      • 0x65655:$a35: get_ShiftKeyDown
      • 0x99f45:$a35: get_ShiftKeyDown
      • 0xce825:$a35: get_ShiftKeyDown
      0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 22 entries
          SourceRuleDescriptionAuthorStrings
          13.2.noise.exe.3ea9c02.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            13.2.noise.exe.3ea9c02.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              13.2.noise.exe.3ea9c02.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30eba:$s10: logins
              • 0x30921:$s11: credential
              • 0x2cec3:$g1: get_Clipboard
              • 0x2ced1:$g2: get_Keyboard
              • 0x2cede:$g3: get_Password
              • 0x2e1e3:$g4: get_CtrlKeyDown
              • 0x2e1f3:$g5: get_ShiftKeyDown
              • 0x2e204:$g6: get_AltKeyDown
              13.2.noise.exe.3ea9c02.2.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e5d8:$a13: get_DnsResolver
              • 0x2cdbc:$a20: get_LastAccessed
              • 0x2ef6a:$a27: set_InternalServerPort
              • 0x2f286:$a30: set_GuidMasterKey
              • 0x2cec3:$a33: get_Clipboard
              • 0x2ced1:$a34: get_Keyboard
              • 0x2e1f3:$a35: get_ShiftKeyDown
              • 0x2e204:$a36: get_AltKeyDown
              • 0x2cede:$a37: get_Password
              • 0x2d99a:$a38: get_PasswordHash
              • 0x2e9d8:$a39: get_DefaultCredentials
              1.2.4EBE6@3.exe.4a1ef52.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 79 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 4EBE6@3.exeVirustotal: Detection: 61%Perma Link
                Source: 4EBE6@3.exeReversingLabs: Detection: 50%
                Source: 4EBE6@3.exeAvira: detected
                Source: 4EBE6@3.exeJoe Sandbox ML: detected
                Source: 18.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
                Source: 4EBE6@3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49744 version: TLS 1.2
                Source: 4EBE6@3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe, 0000001C.00000000.553672642.0000000000852000.00000002.00000001.01000000.0000000C.sdmp, Acrobat.exe.18.dr
                Source: Binary string: InstallUtil.pdb source: Acrobat.exe, 0000001C.00000000.553672642.0000000000852000.00000002.00000001.01000000.0000000C.sdmp, Acrobat.exe.18.dr
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OKJTye.com
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                Source: InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/t
                Source: InstallUtil.exe, 00000012.00000002.567460917.00000000010AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: InstallUtil.exe, 00000012.00000002.566847638.000000000104A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
                Source: InstallUtil.exe, 00000012.00000002.567460917.00000000010AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabu
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://multimetals.cfd
                Source: noise.exe, 0000000D.00000003.513958247.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.553577663.000000000BA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1
                Source: noise.exe, 0000000D.00000003.363977934.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361734419.000000000BA30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1=
                Source: noise.exe, 0000000D.00000003.513958247.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.553577663.000000000BA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                Source: noise.exe, 0000000D.00000003.363977934.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361734419.000000000BA30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g=
                Source: noise.exe, 0000000D.00000003.513958247.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.553577663.000000000BA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj
                Source: noise.exe, 0000000D.00000003.362585268.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363977934.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.362153601.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364534093.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361999407.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364314645.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.434325843.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.362339951.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363235158.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.362865345.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364132096.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364684475.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363031127.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361734419.000000000BA30000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363500284.000000000BA38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj=
                Source: InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0W
                Source: InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: 4EBE6@3.exe, 00000001.00000002.335489101.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.516839182.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 4EBE6@3.exe, 00000001.00000003.308655177.000000000C507000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comO
                Source: 4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comP
                Source: 4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
                Source: 4EBE6@3.exe, 00000001.00000003.309064067.000000000C507000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309665888.000000000C509000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309945289.000000000C509000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309255079.000000000C503000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308655177.000000000C507000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308798013.000000000C508000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.310274973.000000000C4FF000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.310221987.000000000C4FF000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309215561.000000000C503000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.310000716.000000000C509000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309316656.000000000C503000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comitk
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                Source: 4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comormll
                Source: 4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.compri9m
                Source: 4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comueto
                Source: InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                Source: InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 4EBE6@3.exe, 00000001.00000003.311683387.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.313016653.000000000C526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 4EBE6@3.exe, 00000001.00000003.311250923.000000000C526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers)
                Source: 4EBE6@3.exe, 00000001.00000003.311208678.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.311319625.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.311250923.000000000C526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 4EBE6@3.exe, 00000001.00000003.312910654.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.312806146.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.312761645.000000000C526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                Source: 4EBE6@3.exe, 00000001.00000003.311250923.000000000C526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: 4EBE6@3.exe, 00000001.00000003.307561212.000000000C500000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307605500.000000000C51E000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307638553.000000000C51F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 4EBE6@3.exe, 00000001.00000003.307638553.000000000C51F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
                Source: 4EBE6@3.exe, 00000001.00000003.307529594.000000000C51D000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307605500.000000000C51E000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307461611.000000000C51C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnTFGZP
                Source: 4EBE6@3.exe, 00000001.00000003.307561212.000000000C500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-it
                Source: 4EBE6@3.exe, 00000001.00000003.307605500.000000000C51E000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307638553.000000000C51F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnx
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.X5i
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: 4EBE6@3.exe, 00000001.00000003.308050243.000000000C520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com.57
                Source: 4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comH
                Source: 4EBE6@3.exe, 00000001.00000003.308050243.000000000C520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comg5h
                Source: 4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comm4
                Source: 4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308050243.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.como5p
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: 4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnJ
                Source: InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: InstallUtil.exe, 00000012.00000002.589451778.000000000329B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.588768404.000000000323B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589525884.00000000032A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://XWC3ojCmGHGFT3OQK.com
                Source: InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                Source: 4EBE6@3.exeString found in binary or memory: https://www.google.com
                Source: 4EBE6@3.exe, 00000001.00000002.335489101.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.516839182.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                Source: 4EBE6@3.exe, 00000001.00000002.335489101.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.516839182.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comT
                Source: InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: www.google.com
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.3:49744 version: TLS 1.2

                System Summary

                barindex
                Source: 13.2.noise.exe.3ea9c02.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3ea9c02.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3f7bf72.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3f7bf72.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3ede4f2.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3ede4f2.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3fb0848.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3fb0848.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4af12a8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4af12a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3f12dd2.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3f12dd2.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 18.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 18.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4af12a8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4af12a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.49ea662.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.49ea662.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3f7bf72.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3f7bf72.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3f12dd2.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3f12dd2.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3fb0848.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3fb0848.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.49ea662.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.49ea662.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3ede4f2.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3ede4f2.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 13.2.noise.exe.3ea9c02.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 13.2.noise.exe.3ea9c02.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4a53832.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4a53832.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.4EBE6@3.exe.4a53832.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.4EBE6@3.exe.4a53832.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: 4EBE6@3.exe PID: 400, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: noise.exe PID: 1600, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: InstallUtil.exe PID: 6036, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 18.0.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                Source: 4EBE6@3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 13.2.noise.exe.3ea9c02.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3ea9c02.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3f7bf72.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3f7bf72.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3ede4f2.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3ede4f2.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3fb0848.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3fb0848.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4af12a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4af12a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3f12dd2.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3f12dd2.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 18.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 18.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4af12a8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4af12a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.49ea662.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.49ea662.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4a1ef52.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4abc9d2.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3f7bf72.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3f7bf72.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3f12dd2.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3f12dd2.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3fb0848.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3fb0848.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.49ea662.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.49ea662.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3ede4f2.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3ede4f2.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 13.2.noise.exe.3ea9c02.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 13.2.noise.exe.3ea9c02.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4a53832.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4a53832.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.4EBE6@3.exe.4a53832.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.4EBE6@3.exe.4a53832.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: 4EBE6@3.exe PID: 400, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: noise.exe PID: 1600, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: InstallUtil.exe PID: 6036, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F54270
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F5B760
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F564A0
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F5BBC0
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F54ED0
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F5F1B8
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F5F1A8
                Source: C:\Users\user\Desktop\4EBE6@3.exeCode function: 1_2_02F5B750
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C54270
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C564A0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5B750
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5BBC0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C54ED0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5F1A8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5AC70
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E22DD8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E2DCB8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E249E8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E269F0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E25111
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E20040
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E25AE0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E23DA8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28D29
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28D38
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E2D4E8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28480
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28490
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E2C7F0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28FC1
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28780
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E2CE80
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E269AF
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E29158
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E24930
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E268FB
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E27888
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E27898
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E20868
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E20007
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28B00
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_05E28AF1
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA5460
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA3DF8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA0040
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA37E9
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA37F8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA9468
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA5451
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA3DE9
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA1DC0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA3DD5
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA5D38
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EAA2F0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA32C1
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA30B8
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA0021
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_0B8ADB61
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_0B8AE0E0
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_0B8AD869
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_06EA4EC8 CreateProcessAsUserW,
                Source: 4EBE6@3.exe, 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs 4EBE6@3.exe
                Source: 4EBE6@3.exe, 00000001.00000002.345454874.00000000066B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStrengthBody.dll: vs 4EBE6@3.exe
                Source: 4EBE6@3.exe, 00000001.00000002.342117362.000000000412A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrengthBody.dll: vs 4EBE6@3.exe
                Source: 4EBE6@3.exe, 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs 4EBE6@3.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                Source: 4EBE6@3.exeVirustotal: Detection: 61%
                Source: 4EBE6@3.exeReversingLabs: Detection: 50%
                Source: 4EBE6@3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\4EBE6@3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\4EBE6@3.exe "C:\Users\user\Desktop\4EBE6@3.exe"
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess created: C:\Users\user\AppData\Local\Temp\noise.exe "C:\Users\user\AppData\Local\Temp\noise.exe"
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess created: C:\Users\user\AppData\Local\Temp\noise.exe "C:\Users\user\AppData\Local\Temp\noise.exe"
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                Source: C:\Users\user\Desktop\4EBE6@3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\4EBE6@3.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4EBE6@3.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@3/1
                Source: C:\Users\user\Desktop\4EBE6@3.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: 4EBE6@3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\4EBE6@3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\noise.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1112:120:WilError_01
                Source: 18.0.InstallUtil.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 18.0.InstallUtil.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\4EBE6@3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\4EBE6@3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\noise.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\noise.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\4EBE6@3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: 4EBE6@3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 4EBE6@3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe, 0000001C.00000000.553672642.0000000000852000.00000002.00000001.01000000.0000000C.sdmp, Acrobat.exe.18.dr
                Source: Binary string: InstallUtil.pdb source: Acrobat.exe, 0000001C.00000000.553672642.0000000000852000.00000002.00000001.01000000.0000000C.sdmp, Acrobat.exe.18.dr
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C8C2 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C8CE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C8D6 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C8D2 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C8DE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C8DA push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C9C2 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C9E1 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C9FE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C9AA push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C9B6 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C9BE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C95A push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C966 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C96E push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C96A push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C976 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C972 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C912 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C91E push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C926 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5C92A push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CACE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CAD6 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CADE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CAE6 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CAEE push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CAF6 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CAF2 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CA86 push es; ret
                Source: C:\Users\user\AppData\Local\Temp\noise.exeCode function: 13_2_00C5CA82 push es; ret
                Source: 4EBE6@3.exe, n5L2J/Sr20Y.csHigh entropy of concatenated method names: '.ctor', 'Hs19G', 'Qg18Z', 'Aa69S', 'q5NGr', 'd0G9D', 'z1K9X', 'Hj37A', 's4S2C', 'c5WNs'
                Source: 4EBE6@3.exe, Ae75G/Wy1j9.csHigh entropy of concatenated method names: '.ctor', 'Wz7j3', 'y1DPe', 'Qo30S', 'Zr06D', 'z0N2R', 'Gp28M', 'Kw84G', 'r9X7Y', 'g8CSi'
                Source: 4EBE6@3.exe, n8S4Q/r1J9X.csHigh entropy of concatenated method names: '.ctor', 'y2ZNn', 'At7p2', 'Rg40E', 'x1QNm', 'Rk2z8', 'Ex48K', 'd0R6B', 'z4RJx', 'Mi23R'
                Source: 4EBE6@3.exe, y3C7Y/e5TYr.csHigh entropy of concatenated method names: '.ctor', 'Kk13D', 'Wb0y1', 'd5AGx', 'z4L0A', 'Ww8s3', 'Fa4z5', 'Ck50F', 'j4B7X', 's5E3K'
                Source: 1.0.4EBE6@3.exe.320000.0.unpack, n5L2J/Sr20Y.csHigh entropy of concatenated method names: '.ctor', 'Hs19G', 'Qg18Z', 'Aa69S', 'q5NGr', 'd0G9D', 'z1K9X', 'Hj37A', 's4S2C', 'c5WNs'
                Source: 1.0.4EBE6@3.exe.320000.0.unpack, n8S4Q/r1J9X.csHigh entropy of concatenated method names: '.ctor', 'y2ZNn', 'At7p2', 'Rg40E', 'x1QNm', 'Rk2z8', 'Ex48K', 'd0R6B', 'z4RJx', 'Mi23R'
                Source: 1.0.4EBE6@3.exe.320000.0.unpack, Ae75G/Wy1j9.csHigh entropy of concatenated method names: '.ctor', 'Wz7j3', 'y1DPe', 'Qo30S', 'Zr06D', 'z0N2R', 'Gp28M', 'Kw84G', 'r9X7Y', 'g8CSi'
                Source: 1.0.4EBE6@3.exe.320000.0.unpack, y3C7Y/e5TYr.csHigh entropy of concatenated method names: '.ctor', 'Kk13D', 'Wb0y1', 'd5AGx', 'z4L0A', 'Ww8s3', 'Fa4z5', 'Ck50F', 'j4B7X', 's5E3K'

                Persistence and Installation Behavior

                barindex
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile written: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AcrobatJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AcrobatJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Users\user\Desktop\4EBE6@3.exeFile opened: C:\Users\user\Desktop\4EBE6@3.exe\:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Local\Temp\noise.exeFile opened: C:\Users\user\AppData\Local\Temp\noise.exe\:Zone.Identifier read attributes | delete
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe:Zone.Identifier read attributes | delete
                Source: c:\users\user\desktop\4ebe6@3.exeFile moved: C:\Users\user\AppData\Local\Temp\noise.exeJump to behavior
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\4EBE6@3.exe TID: 5616Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\Desktop\4EBE6@3.exe TID: 5576Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\4EBE6@3.exe TID: 6024Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\noise.exe TID: 1864Thread sleep time: -13835058055282155s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\noise.exe TID: 1864Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5048Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2344Thread sleep count: 9536 > 30
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe TID: 6012Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\4EBE6@3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4EBE6@3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\noise.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\noise.exeWindow / User API: threadDelayed 9829
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 9536
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4EBE6@3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\noise.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\noise.exeThread delayed: delay time: 30000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeThread delayed: delay time: 922337203685477
                Source: InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWons, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
                Source: 4EBE6@3.exe, 00000001.00000002.335911316.0000000003118000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                Source: noise.exe, 0000000D.00000002.517195643.00000000025D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: noise.exe, 0000000D.00000002.517195643.00000000025D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: noise.exe, 0000000D.00000002.517195643.00000000025D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTrayBody
                Source: InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\4EBE6@3.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\AppData\Local\Temp\noise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                Source: C:\Users\user\AppData\Local\Temp\noise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
                Source: C:\Users\user\AppData\Local\Temp\noise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 436000
                Source: C:\Users\user\AppData\Local\Temp\noise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 438000
                Source: C:\Users\user\AppData\Local\Temp\noise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: BBC008
                Source: C:\Users\user\AppData\Local\Temp\noise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\4EBE6@3.exeProcess created: C:\Users\user\AppData\Local\Temp\noise.exe "C:\Users\user\AppData\Local\Temp\noise.exe"
                Source: C:\Users\user\AppData\Local\Temp\noise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Users\user\Desktop\4EBE6@3.exe VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\noise.exeQueries volume information: C:\Users\user\AppData\Local\Temp\noise.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\noise.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\noise.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\noise.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\noise.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\noise.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeQueries volume information: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Users\user\Desktop\4EBE6@3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 13.2.noise.exe.3ea9c02.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a1ef52.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4abc9d2.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f7bf72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3ede4f2.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3fb0848.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4af12a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f12dd2.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4af12a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.49ea662.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a1ef52.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4abc9d2.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f7bf72.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f12dd2.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3fb0848.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.49ea662.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3ede4f2.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3ea9c02.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a53832.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a53832.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4EBE6@3.exe PID: 400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: noise.exe PID: 1600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6036, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6036, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 13.2.noise.exe.3ea9c02.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a1ef52.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4abc9d2.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f7bf72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3ede4f2.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3fb0848.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4af12a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f12dd2.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4af12a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.49ea662.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a1ef52.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4abc9d2.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f7bf72.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3f12dd2.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3fb0848.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.49ea662.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3ede4f2.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.noise.exe.3ea9c02.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a53832.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4EBE6@3.exe.4a53832.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4EBE6@3.exe PID: 400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: noise.exe PID: 1600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6036, type: MEMORYSTR
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                1
                Valid Accounts
                211
                Windows Management Instrumentation
                1
                Valid Accounts
                1
                Valid Accounts
                21
                Masquerading
                OS Credential Dumping111
                Security Software Discovery
                Remote Services1
                Email Collection
                Exfiltration Over Other Network Medium11
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1
                Registry Run Keys / Startup Folder
                1
                Access Token Manipulation
                1
                Valid Accounts
                LSASS Memory1
                Process Discovery
                Remote Desktop Protocol11
                Archive Collected Data
                Exfiltration Over Bluetooth1
                Ingress Tool Transfer
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)211
                Process Injection
                1
                Access Token Manipulation
                Security Account Manager131
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)1
                Registry Run Keys / Startup Folder
                1
                Disable or Modify Tools
                NTDS1
                Application Window Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer3
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                Virtualization/Sandbox Evasion
                LSA Secrets1
                Remote System Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common211
                Process Injection
                Cached Domain Credentials1
                File and Directory Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Deobfuscate/Decode Files or Information
                DCSync114
                System Information Discovery
                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Hidden Files and Directories
                Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                Obfuscated Files or Information
                /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                Software Packing
                Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679195 Sample: 4EBE6@3.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 29 multimetals.cfd 2->29 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 4EBE6@3.exe 15 4 2->8         started        13 Acrobat.exe 4 2->13         started        signatures3 process4 dnsIp5 31 www.google.com 142.250.185.196, 443, 49734, 49744 GOOGLEUS United States 8->31 27 C:\Users\user\AppData\...\4EBE6@3.exe.log, ASCII 8->27 dropped 57 Moves itself to temp directory 8->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->59 15 noise.exe 14 3 8->15         started        19 conhost.exe 13->19         started        file6 signatures7 process8 dnsIp9 33 www.google.com 15->33 35 Writes to foreign memory regions 15->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->37 39 Injects a PE file into a foreign processes 15->39 21 InstallUtil.exe 2 4 15->21         started        signatures10 process11 file12 25 C:\Users\user\AppData\Roaming\...\Acrobat.exe, PE32 21->25 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->49 51 Tries to steal Mail credentials (via file / registry access) 21->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->53 55 2 other signatures 21->55 signatures13

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                4EBE6@3.exe62%VirustotalBrowse
                4EBE6@3.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                4EBE6@3.exe100%AviraTR/Kryptik.avxgd
                4EBE6@3.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe0%ReversingLabs
                SourceDetectionScannerLabelLinkDownload
                18.0.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.carterandcone.comueto0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnO0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://OKJTye.com0%Avira URL Cloudsafe
                http://ns.ado/1=0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://r3.i.lencr.org/0W0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://ns.adobe.c/g0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.tiro.comH0%URL Reputationsafe
                http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.tiro.comm40%Avira URL Cloudsafe
                http://www.tiro.X5i0%Avira URL Cloudsafe
                https://www.google.comT0%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                https://XWC3ojCmGHGFT3OQK.com0%Avira URL Cloudsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://www.founder.com.cn/cnx0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.carterandcone.comP0%URL Reputationsafe
                http://www.carterandcone.comitk0%URL Reputationsafe
                http://www.carterandcone.comO0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.carterandcone.como.0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                http://www.carterandcone.compri9m0%Avira URL Cloudsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://www.tiro.comg5h0%Avira URL Cloudsafe
                http://www.carterandcone.coma0%URL Reputationsafe
                http://multimetals.cfd0%Avira URL Cloudsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://ns.adobe.cobj0%URL Reputationsafe
                https://api.ipify.org%appdata0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.founder.com.cn/cnTFGZP0%Avira URL Cloudsafe
                http://www.tiro.como5p0%Avira URL Cloudsafe
                http://www.carterandcone.comormll0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnt-it0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://ns.adobe.cobj=0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.disig.sk/ca0f0%URL Reputationsafe
                http://www.tiro.com.570%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://ns.adobe.c/g=0%Avira URL Cloudsafe
                http://www.zhongyicts.com.cnJ0%Avira URL Cloudsafe
                http://ns.ado/10%URL Reputationsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                multimetals.cfd
                192.185.37.183
                truefalse
                  unknown
                  www.google.com
                  142.250.185.196
                  truefalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    https://www.google.com/false
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.carterandcone.comueto4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.founder.com.cn/cnO4EBE6@3.exe, 00000001.00000003.307638553.000000000C51F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://127.0.0.1:HTTP/1.1InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.fontbureau.com/designersG4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://OKJTye.comInstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://ns.ado/1=noise.exe, 0000000D.00000003.363977934.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361734419.000000000BA30000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.founder.com.cn/cn/bThe4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://r3.i.lencr.org/0WInstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.tiro.com4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers4EBE6@3.exe, 00000001.00000003.311683387.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.313016653.000000000C526000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://ns.adobe.c/gnoise.exe, 0000000D.00000003.513958247.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.553577663.000000000BA31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.goodfont.co.kr4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.tiro.comH4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://crl.securetrust.com/SGCA.crl0InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.com4EBE6@3.exe, 00000001.00000003.308655177.000000000C507000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://crl.securetrust.com/STCA.crl0InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://ca.disig.sk/ca/crl/ca_disig.crl0InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.sajatypeworks.com4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.typography.netD4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://www.google.com4EBE6@3.exefalse
                                high
                                http://www.founder.com.cn/cn/cThe4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htm4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.com4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.tiro.comm44EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiro.X5i4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://www.google.comT4EBE6@3.exe, 00000001.00000002.335489101.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.516839182.0000000002591000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.disig.sk/ca/crl/ca_disig.crl0InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://XWC3ojCmGHGFT3OQK.comInstallUtil.exe, 00000012.00000002.589451778.000000000329B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.588768404.000000000323B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589525884.00000000032A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://x1.c.lencr.org/0InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://x1.i.lencr.org/0InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cnx4EBE6@3.exe, 00000001.00000003.307605500.000000000C51E000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307638553.000000000C51F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersd4EBE6@3.exe, 00000001.00000003.311250923.000000000C526000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiInstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersb4EBE6@3.exe, 00000001.00000003.312910654.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.312806146.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.312761645.000000000C526000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://r3.o.lencr.org0InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPlease4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comP4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comitk4EBE6@3.exe, 00000001.00000003.309064067.000000000C507000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309665888.000000000C509000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309945289.000000000C509000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309255079.000000000C503000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308655177.000000000C507000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308798013.000000000C508000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.310274973.000000000C4FF000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.310221987.000000000C4FF000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309215561.000000000C503000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.310000716.000000000C509000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.309316656.000000000C503000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comO4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fonts.com4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.sandoll.co.kr4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.urwpp.deDPlease4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.zhongyicts.com.cn4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4EBE6@3.exe, 00000001.00000002.335489101.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.516839182.0000000002591000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.carterandcone.como.4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sakkal.com4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://api.ipify.org%InstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        low
                                        http://www.carterandcone.compri9m4EBE6@3.exe, 00000001.00000003.308641145.000000000C4FD000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308788980.000000000C500000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://cps.root-x1.letsencrypt.org0InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.tiro.comg5h4EBE6@3.exe, 00000001.00000003.308050243.000000000C520000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.carterandcone.coma4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://multimetals.cfdInstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.apache.org/licenses/LICENSE-2.04EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fontbureau.com4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://cps.letsencrypt.org0InstallUtil.exe, 00000012.00000002.593597181.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.592820026.0000000006230000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.595628659.0000000006BF1000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589226402.0000000003279000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.589681230.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://ns.adobe.cobjnoise.exe, 0000000D.00000003.513958247.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.553577663.000000000BA31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://api.ipify.org%appdataInstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            low
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwInstallUtil.exe, 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.founder.com.cn/cnTFGZP4EBE6@3.exe, 00000001.00000003.307529594.000000000C51D000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307605500.000000000C51E000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307461611.000000000C51C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.tiro.como5p4EBE6@3.exe, 00000001.00000003.308235544.000000000C524000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308050243.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308086430.000000000C520000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308116259.000000000C528000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308182391.000000000C523000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.308155481.000000000C522000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.carterandcone.comormll4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.founder.com.cn/cnt-it4EBE6@3.exe, 00000001.00000003.307561212.000000000C500000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.carterandcone.coml4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://ns.adobe.cobj=noise.exe, 0000000D.00000003.362585268.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363977934.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.362153601.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364534093.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361999407.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364314645.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.434325843.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.362339951.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363235158.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.362865345.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364132096.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.364684475.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363031127.000000000BA38000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361734419.000000000BA30000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.363500284.000000000BA38000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.fontbureau.com/designers)4EBE6@3.exe, 00000001.00000003.311250923.000000000C526000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.fontbureau.com/designers/cabarga.htmlN4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.founder.com.cn/cn4EBE6@3.exe, 00000001.00000003.307561212.000000000C500000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307605500.000000000C51E000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.307638553.000000000C51F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers/frere-jones.html4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.disig.sk/ca0fInstallUtil.exe, 00000012.00000002.595246005.0000000006B70000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.tiro.com.574EBE6@3.exe, 00000001.00000003.308050243.000000000C520000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  low
                                                  http://www.jiyu-kobo.co.jp/4EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers84EBE6@3.exe, 00000001.00000002.349782029.000000000D702000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://ns.adobe.c/g=noise.exe, 0000000D.00000003.363977934.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000003.361734419.000000000BA30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/4EBE6@3.exe, 00000001.00000003.311208678.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.311319625.000000000C526000.00000004.00000800.00020000.00000000.sdmp, 4EBE6@3.exe, 00000001.00000003.311250923.000000000C526000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.zhongyicts.com.cnJ4EBE6@3.exe, 00000001.00000003.308405539.000000000C4F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://ns.ado/1noise.exe, 0000000D.00000003.513958247.000000000BA34000.00000004.00000800.00020000.00000000.sdmp, noise.exe, 0000000D.00000002.553577663.000000000BA31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs
                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      142.250.185.196
                                                      www.google.comUnited States
                                                      15169GOOGLEUSfalse
                                                      Joe Sandbox Version:35.0.0 Citrine
                                                      Analysis ID:679195
                                                      Start date and time: 05/08/202211:56:522022-08-05 11:56:52 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 43s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:4EBE6@3.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:30
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/5@3/1
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HDC Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 97%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.152.110.14
                                                      • Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                      • Execution Graph export aborted for target 4EBE6@3.exe, PID 400 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      TimeTypeDescription
                                                      11:58:36API Interceptor1x Sleep call for process: 4EBE6@3.exe modified
                                                      11:58:52API Interceptor214x Sleep call for process: noise.exe modified
                                                      12:00:04API Interceptor92x Sleep call for process: InstallUtil.exe modified
                                                      12:00:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Acrobat C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                      12:00:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Acrobat C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                      No context
                                                      No context
                                                      No context
                                                      No context
                                                      No context
                                                      Process:C:\Users\user\Desktop\4EBE6@3.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1301
                                                      Entropy (8bit):5.345637324625647
                                                      Encrypted:false
                                                      SSDEEP:24:MLU84jE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4VE4j:MgvjHK5HKXwYHKhQnoPtHoxHhAHKzvr3
                                                      MD5:14823511A171BB647D0EAD502CCA1F8B
                                                      SHA1:C93F72192AA9EDA3AD54C21FECCA44C11C544D59
                                                      SHA-256:82F290E3FEAE38480488B265506CE7949AE3E86E9C8B6619E922EF44615FD28C
                                                      SHA-512:AF9C14E0AF3A03FF518C8EC3688087879249C933519291A6F768500959A28C5E6EC4320BC98309F7DFD4CB30A4A5AAE29EECFAA6A391F4D881145504E4FBC405
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880
                                                      Process:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):950
                                                      Entropy (8bit):5.350971482944737
                                                      Encrypted:false
                                                      SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                                                      MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                                                      SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                                                      SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                                                      SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                      Process:C:\Users\user\AppData\Local\Temp\noise.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1301
                                                      Entropy (8bit):5.345637324625647
                                                      Encrypted:false
                                                      SSDEEP:24:MLU84jE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4VE4j:MgvjHK5HKXwYHKhQnoPtHoxHhAHKzvr3
                                                      MD5:14823511A171BB647D0EAD502CCA1F8B
                                                      SHA1:C93F72192AA9EDA3AD54C21FECCA44C11C544D59
                                                      SHA-256:82F290E3FEAE38480488B265506CE7949AE3E86E9C8B6619E922EF44615FD28C
                                                      SHA-512:AF9C14E0AF3A03FF518C8EC3688087879249C933519291A6F768500959A28C5E6EC4320BC98309F7DFD4CB30A4A5AAE29EECFAA6A391F4D881145504E4FBC405
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):41064
                                                      Entropy (8bit):6.164873449128079
                                                      Encrypted:false
                                                      SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                      MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                      SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                      SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                      SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                      Process:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):2017
                                                      Entropy (8bit):4.663189584482275
                                                      Encrypted:false
                                                      SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                                                      MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                                                      SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                                                      SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                                                      SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                                                      Malicious:false
                                                      Preview:Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for
                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):6.77203058782123
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:4EBE6@3.exe
                                                      File size:641536
                                                      MD5:ade71491b076ca7a43effaf0214dd030
                                                      SHA1:75623647a35d7bfbfc0df5dfc24646c8d53367d1
                                                      SHA256:81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2
                                                      SHA512:0ce24d7d57ef34725fc806b07d54e1423d4c685f81a5471a73f2de18bec01e2c0b4272f30b7a7304847ee478c5f68dfc3a2ea0958b1c4f8be5761a35b801a203
                                                      SSDEEP:6144:EJCAIlFP8EYO+nm5NhbQ26Ldtb5joi2lEfbi4xzn+CzXJFSf19M/6ETrM00nQbql:OO2m5F+dtmi22ZzxSf1q6B0sQuc9Gy
                                                      TLSH:C6D4BE4B7BA05922C07C37F381A556D0D3F2E0CE595DCB8A88CAB3EA2B733816D55953
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......3................................. ........@.. ....................... ............`................................
                                                      Icon Hash:00828e8e8686b000
                                                      Entrypoint:0x49ddbe
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x3319FA86 [Sun Mar 2 22:09:10 1997 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9dd700x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x606.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x9bdc40x9be00False0.660754560946271data6.784333135626028IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x9e0000x6060x800False0.3486328125data3.63470111087347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa00000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0x9e0a00x37cdata
                                                      RT_MANIFEST0x9e41c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      DLLImport
                                                      mscoree.dll_CorExeMain
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 5, 2022 11:58:20.946193933 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:20.946221113 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:20.946324110 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:20.990619898 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:20.990653992 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.046631098 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.046761990 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.049889088 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.049900055 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.050126076 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.103869915 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.466084957 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.507370949 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.631510973 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.631634951 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.631748915 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.631772041 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.631809950 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.631877899 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.631896019 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.632299900 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.632366896 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.632389069 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.632416964 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.632555962 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.633527994 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.634821892 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.634882927 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.635107040 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.635143042 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.635399103 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.636231899 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.648201942 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.648273945 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.648638964 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.648684025 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.648977995 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.648988008 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.649019003 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.649725914 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.649801016 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.649837017 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.650063038 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.651633024 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.652328968 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.652436972 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.652435064 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.652481079 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.653714895 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.654243946 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.654864073 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.654921055 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.654978991 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.655013084 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.655215025 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.656085968 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.657128096 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.657234907 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.657285929 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.657305956 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.657419920 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.658236980 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.659396887 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.659507036 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.660465956 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.660486937 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.660578012 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.660608053 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.660624981 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.660710096 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.661531925 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.661755085 CEST44349734142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:21.661870956 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:21.665785074 CEST49734443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:38.084156036 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:38.084219933 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:38.084332943 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:38.184114933 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:38.184163094 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:38.229578018 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:38.229705095 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:38.245520115 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:38.245553970 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:38.246011019 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:38.366739988 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:39.098844051 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:39.139457941 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.268588066 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.268686056 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.268769979 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.268841982 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.269032955 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:39.269048929 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.269361973 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.269691944 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:39.269706964 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.270729065 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.271147966 CEST49744443192.168.2.3142.250.185.196
                                                      Aug 5, 2022 11:58:39.271167994 CEST44349744142.250.185.196192.168.2.3
                                                      Aug 5, 2022 11:58:39.271718979 CEST44349744142.250.185.196192.168.2.3
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 5, 2022 11:58:20.907394886 CEST6485153192.168.2.38.8.8.8
                                                      Aug 5, 2022 11:58:20.924711943 CEST53648518.8.8.8192.168.2.3
                                                      Aug 5, 2022 11:58:38.003500938 CEST5641753192.168.2.38.8.8.8
                                                      Aug 5, 2022 11:58:38.020128965 CEST53564178.8.8.8192.168.2.3
                                                      Aug 5, 2022 12:00:24.309473991 CEST6526653192.168.2.38.8.8.8
                                                      Aug 5, 2022 12:00:24.481308937 CEST53652668.8.8.8192.168.2.3
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Aug 5, 2022 11:58:20.907394886 CEST192.168.2.38.8.8.80x58c1Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                      Aug 5, 2022 11:58:38.003500938 CEST192.168.2.38.8.8.80xb8a6Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                      Aug 5, 2022 12:00:24.309473991 CEST192.168.2.38.8.8.80x54faStandard query (0)multimetals.cfdA (IP address)IN (0x0001)
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Aug 5, 2022 11:58:20.924711943 CEST8.8.8.8192.168.2.30x58c1No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                      Aug 5, 2022 11:58:38.020128965 CEST8.8.8.8192.168.2.30xb8a6No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                      Aug 5, 2022 12:00:24.481308937 CEST8.8.8.8192.168.2.30x54faNo error (0)multimetals.cfd192.185.37.183A (IP address)IN (0x0001)
                                                      • www.google.com
                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.349734142.250.185.196443C:\Users\user\Desktop\4EBE6@3.exe
                                                      TimestampkBytes transferredDirectionData
                                                      2022-08-05 09:58:21 UTC0OUTGET / HTTP/1.1
                                                      Host: www.google.com
                                                      Connection: Keep-Alive
                                                      2022-08-05 09:58:21 UTC0INHTTP/1.1 200 OK
                                                      Date: Fri, 05 Aug 2022 09:58:21 GMT
                                                      Expires: -1
                                                      Cache-Control: private, max-age=0
                                                      Content-Type: text/html; charset=ISO-8859-1
                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                      Server: gws
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Set-Cookie: AEC=AakniGMECP0zr5GPVaVTjAqHZbSwe5t9w4XpzpZ0Nnf5kJ9LjiQ-76L5Fw; expires=Wed, 01-Feb-2023 09:58:21 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                      Set-Cookie: __Secure-ENID=6.SE=Z7nxl_KjcWxIEJ0AXNx1pM3SkqW0pkfcmHFqayrTNx1PTkHyepKFAnZC_V6TAnY0QgWZTVOBxRBQZmlyhj_5R7NmTZdXeMdN8K0o953x6LYIaRNJTmVzGRRFyRBkNHNiqfpYyUPFzoRKNwOYCdGdc87esXCufsh7uiOuY_EMSg8; expires=Tue, 05-Sep-2023 02:16:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                      Set-Cookie: CONSENT=PENDING+816; expires=Sun, 04-Aug-2024 09:58:21 GMT; path=/; domain=.google.com; Secure
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2022-08-05 09:58:21 UTC1INData Raw: 35 36 32 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74
                                                      Data Ascii: 562b<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="de"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content
                                                      2022-08-05 09:58:21 UTC1INData Raw: 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 51 77 6d 6a 31 36 33 65 63 57 4c 59 67 50 5f 36 33 45 67 67 72 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 76 65 6e 73 59 74 57 32 48 37 53 68 69 4c 4d 50 35 73 57 54 6b 41 45 27 2c 6b 45 58 50 49 3a 27 30 2c 31 33 30 32 35 33 36 2c 35 36 38 37 33 2c 31 37 31 30 2c 34 33 34 39 2c 32 30 36 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c 32 34 36 2c 35 2c
                                                      Data Ascii: ="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="Qwmj163ecWLYgP_63Eggrg">(function(){window.google={kEI:'vensYtW2H7ShiLMP5sWTkAE',kEXPI:'0,1302536,56873,1710,4349,206,4804,2316,383,246,5,
                                                      2022-08-05 09:58:21 UTC2INData Raw: 35 39 2c 31 33 35 38 2c 31 32 32 32 30 2c 33 34 30 36 2c 37 31 38 2c 36 34 35 35 2c 31 33 36 30 39 39 36 27 2c 6b 42 4c 3a 27 6c 53 78 70 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 64 65 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e
                                                      Data Ascii: 59,1358,12220,3406,718,6455,1360996',kBL:'lSxp'};google.sn='webhp';google.kHL='de';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=n
                                                      2022-08-05 09:58:21 UTC3INData Raw: 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74
                                                      Data Ascii: [a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submit
                                                      2022-08-05 09:58:21 UTC5INData Raw: 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69
                                                      Data Ascii: solute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibili
                                                      2022-08-05 09:58:21 UTC6INData Raw: 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61
                                                      Data Ascii: list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-sha
                                                      2022-08-05 09:58:21 UTC7INData Raw: 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 63 34 63 34 63 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62
                                                      Data Ascii: ackground-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gb
                                                      2022-08-05 09:58:21 UTC8INData Raw: 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76
                                                      Data Ascii: .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:v
                                                      2022-08-05 09:58:21 UTC10INData Raw: 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62
                                                      Data Ascii: );box-shadow:0 2px 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gb
                                                      2022-08-05 09:58:21 UTC11INData Raw: 67 3a 31 30 70 78 20 32 30 70 78 20 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 70 61 6c 61 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f
                                                      Data Ascii: g:10px 20px 0;white-space:nowrap}.gbmpala{padding-left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-blo
                                                      2022-08-05 09:58:21 UTC12INData Raw: 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 2d 6e 6f 2d 66 6f 63 75 73 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70
                                                      Data Ascii: a(0,0,0,.1)}.gbqfb-no-focus:focus{border:1px solid #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1p
                                                      2022-08-05 09:58:21 UTC14INData Raw: 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64
                                                      Data Ascii: 8);background-image:-moz-linear-gradient(top,#4d90fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background
                                                      2022-08-05 09:58:21 UTC15INData Raw: 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28
                                                      Data Ascii: 1f1f1);background-image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(
                                                      2022-08-05 09:58:21 UTC16INData Raw: 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61
                                                      Data Ascii: x 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpa
                                                      2022-08-05 09:58:21 UTC17INData Raw: 2e 33 29 3b 74 6f 70 3a 30 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 7b 2d 77 65 62 6b 69 74 2d 6d 61 73 6b 2d 62 6f 78 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c
                                                      Data Ascii: .3);top:0}.gbsb .gbsbb{-webkit-mask-box-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),
                                                      2022-08-05 09:58:21 UTC19INData Raw: 69 6e 65 7d 2e 66 6c 20 61 7b 63 6f 6c 6f 72 3a 23 31 35 35 38 64 36 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 34 62 31 31 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b
                                                      Data Ascii: ine}.fl a{color:#1558d6}a:visited{color:#4b11a8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block
                                                      2022-08-05 09:58:21 UTC20INData Raw: 66 26 26 67 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 26 26 28 66 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 66 5d 2c 63 2b 3d 22 26 63 61 64 3d 22 2b 62 28 66 3f 66 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 63 2b 3d 22 26 6a 73 65 6c 3d 22 2b 65 3b 66 6f 72 28 76 61 72 20 75 20 69 6e 20 64 29 63 2b 3d 22 26 22 2c 63 2b 3d 62 28 75 29 2c 63 2b 3d 22 3d 22 2c 63 2b 3d 62 28 64 5b 75 5d 29 3b 63 3d 63 2b 22 26 65 6d 73 67 3d 22 2b 62 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 63 3d 63 2b 22 26 6a 73 73 74 3d 22 2b 62 28 61 2e
                                                      Data Ascii: f&&g===window.location.href&&(f=document.documentElement.outerHTML.split("\n")[f],c+="&cad="+b(f?f.substring(0,300):"No script found.")));c+="&jsel="+e;for(var u in d)c+="&",c+=b(u),c+="=",c+=b(d[u]);c=c+"&emsg="+b(a.name+": "+a.message);c=c+"&jsst="+b(a.
                                                      2022-08-05 09:58:21 UTC21INData Raw: 64 2c 63 29 3b 65 6c 73 65 7b 76 61 72 20 66 3d 61 5b 64 5d 3b 61 5b 64 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6b 3d 66 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c 6d 3d 63 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68
                                                      Data Ascii: d,c);else{var f=a[d];a[d]=function(){var k=f.apply(this,arguments),m=c.apply(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h
                                                      2022-08-05 09:58:21 UTC22INData Raw: 65 34 0d 0a 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 28 63 3d 77 5b 62 5d 29 26 26 63 5b 30 5d 21 3d 61 3b 2b 2b 62 29 3b 21 63 7c 7c 63 5b 31 5d 2e 6c 7c 7c 63 5b 31 5d 2e 73 7c 7c 28 63 5b 31 5d 2e 73 3d 21 30 2c 73 61 28 32 2c 61 29 2c 63 5b 31 5d 2e 75 72 6c 26 26 72 61 28 63 5b 31 5d 2e 75 72 6c 2c 61 29 2c 63 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 0d 0a
                                                      Data Ascii: e4head")[0]).appendChild(c)},D=function(a){for(var b=0,c;(c=w[b])&&c[0]!=a;++b);!c||c[1].l||c[1].s||(c[1].s=!0,sa(2,a),c[1].url&&ra(c[1].url,a),c[1].libs&&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa
                                                      2022-08-05 09:58:21 UTC22INData Raw: 36 38 66 32 0d 0a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22 62 6e 63 22 2c 77 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 42 29 3b 70 28 22 71 64 22 2c 78 29 3b 70 28 22 6c 62 22 2c 44 29 3b 70 28 22 6d 63 66 22 2c 70 61 29 3b 70 28 22 62 63 66 22 2c 6f 61 29 3b 70 28 22 61 71 22 2c 41 29 3b 70 28 22 6d 64 64 22 2c 22 22 29 3b 0a 70 28 22 68 61 73 22 2c 71 61 29 3b 70 28 22 74 72 68 22 2c 76 61 29 3b 70 28 22 74 65 76 22 2c 73 61 29 3b 69
                                                      Data Ascii: 68f2=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("bnc",w);p("qGC",ta);p("qm",B);p("qd",x);p("lb",D);p("mcf",pa);p("bcf",oa);p("aq",A);p("mdd","");p("has",qa);p("trh",va);p("tev",sa);i
                                                      2022-08-05 09:58:21 UTC24INData Raw: 7b 74 72 79 7b 69 66 28 31 3e 47 61 29 7b 47 61 2b 2b 3b 76 61 72 20 63 3d 61 3b 62 3d 62 7c 7c 7b 7d 3b 76 61 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 46 61 29 2c 22 26 6f 67 65 76 3d 22 2c 64 28 22 76 65 6e 73 59 6f 62 2d 49 4b 57 41 69 4c 4d 50 6d 66 53 43 71 41 51 22 29 2c 22 26 6f 67 66 3d 22 2c 67 2e 62 76 2e 66 2c 22 26 6f 67 72 70 3d 22 2c 64 28
                                                      Data Ascii: {try{if(1>Ga){Ga++;var c=a;b=b||{};var d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.round(1/Fa),"&ogev=",d("vensYob-IKWAiLMPmfSCqAQ"),"&ogf=",g.bv.f,"&ogrp=",d(
                                                      2022-08-05 09:58:21 UTC25INData Raw: 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 32 63 74 44 37 74 74 6f 2d 70 41 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 74 50 4e 4d 68 44 2d 72 38 67 5a 48 5a 58 56 68 6e 56 57 61 43 30 46 53 69 36 6f 67 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 62 6d 48 52 47 50 74 37 41 4d 77 2e 44 55 22 29 3b 61 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 72 61 28 61 29 7d 3b 70 28 22 63 61 22 2c 4a 29 3b 70 28 22 63 72 22 2c 4b 29 3b 70 28 22 63 63 22 2c 48 29 3b 68 2e 6b 3d 4a 3b
                                                      Data Ascii: https://www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.2ctD7tto-pA.O","/rt=j/m=",a,"/rs=","AA2YrTtPNMhD-r8gZHZXVhnVWaC0FSi6og"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_US.bmHRGPt7AMw.DU");a=a.join("");ra(a)};p("ca",J);p("cr",K);p("cc",H);h.k=J;
                                                      2022-08-05 09:58:21 UTC26INData Raw: 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 69 66 28 6d 26 26 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6c 26 26 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4b 28 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 24 61 28 66 29 26 26 61 62 28 66 29 3b 4f 3d 64 3b 4a 28 6b 2c 22 67 62 74 6f 22 29 7d 7d 7d 7d 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 74 67 28 61 2c 62 2c 21 30 29 7d 29 3b 62 62 28 61 29 7d 63 61 74 63 68 28 71 29 7b 72 28 71 2c 22 73 62 22 2c 22 74 67 22 29 7d 7d 2c
                                                      Data Ascii: getElementById(O);if(m&&m.getAttribute){var n=m.getAttribute("aria-owner");if(n.length){var l=document.getElementById(n);l&&l.parentNode&&K(l.parentNode,"gbto")}}}$a(f)&&ab(f);O=d;J(k,"gbto")}}}}B(function(){g.tg(a,b,!0)});bb(a)}catch(q){r(q,"sb","tg")}},
                                                      2022-08-05 09:58:21 UTC28INData Raw: 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6c 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63 68 28 45 62 29 7b 72 28 45 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 66 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 62 2e 6c 65 6e 67 74 68 2c 0a 64 3d 30 3b 64 3c 63 3b 64 2b 2b 29 69 66 28 48 28 61 2c 62 5b 64 5d 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 62 28 61 2c 62 2c 63 29 7d 2c 69 62 3d 66 75 6e 63 74
                                                      Data Ascii: t gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[l])}g.addHover&&g.addHover(a)}else k.appendChild(m)}}catch(Eb){r(Eb,"sb","al")}},fb=function(a,b){for(var c=b.length,d=0;d<c;d++)if(H(a,b[d]))return!0;return!1},hb=function(a,b,c){gb(a,b,c)},ib=funct
                                                      2022-08-05 09:58:21 UTC29INData Raw: 21 30 29 7d 7d 7d 2c 51 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4b 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 63 7d 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 71 62 26 26 77 69 6e 64 6f 77 2e 63 6c 65 61 72 54 69 6d 65 6f 75 74 28 71 62 29 7d 2c 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 69 6e 6e 65 72 22 2b 61 3b 61 3d 22 6f 66 66 73 65 74 22 2b 61 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 5b 62 5d 3f 77 69 6e
                                                      Data Ascii: !0)}}},Q=function(a,b){(b=void 0!==b?b:!0)?J(a,"gbmsgo"):K(a,"gbmsgo")},$a=function(a){for(var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg"))return c},P=function(){qb&&window.clearTimeout(qb)},ub=function(a){var b="inner"+a;a="offset"+a;return window[b]?win
                                                      2022-08-05 09:58:21 UTC30INData Raw: 76 2e 67 63 3d 42 62 3b 76 61 72 20 43 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 61 70 69 73 26 26 77 69 6e 64 6f 77 2e 69 66 72 61 6d 65 73 3f 61 26 26 61 28 29 3a 28 61 26 26 74 61 28 61 29 2c 44 28 22 67 63 22 29 29 7d 3b 70 28 22 6c 47 43 22 2c 43 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 43 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 69 66 28 68 2e 61 28 22 31 22 29 26 26 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 44 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 41 28 22 70 77 22 2c 61 29 3b 44 28 22 70 77 22 29 7d 29 7d 3b 70 28 22 6c 50 57 22 2c 44 62 29 3b 77 2e 70 75 73 68 28 5b 22 70 77 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67
                                                      Data Ascii: v.gc=Bb;var Cb=function(a){window.googleapis&&window.iframes?a&&a():(a&&ta(a),D("gc"))};p("lGC",Cb);h.a("1")&&p("lPWF",Cb)};window.__PVT="";if(h.a("1")&&h.a("1")){var Db=function(a){Cb(function(){A("pw",a);D("pw")})};p("lPW",Db);w.push(["pw",{url:"//ssl.g
                                                      2022-08-05 09:58:21 UTC31INData Raw: 36 34 34 33 35 35 39 35 2e 30 22 29 2c 55 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 37 30 36 2e 30 5f 70 30 22 29 2c 49 3d 64 28 22 63 6f 6d 22 29 2c 56 3d 64 28 22 64 65 22 29 2c 57 3d 0a 64 28 22 44 45 55 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78 3d 22 2c 6b 2c 22 26 6f 67 65 76 3d 22 2c 6d 2c 22 26 6f 67 66 3d 22 2c 6c 2c 22 26 6f 67 70 3d 22 2c 71 2c 22 26 6f 67 72 70 3d 22 2c 6e 2c 22 26 6f
                                                      Data Ascii: 64435595.0"),U="&oggv="+d("es_plusone_gc_20220706.0_p0"),I=d("com"),V=d("de"),W=d("DEU");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex=",k,"&ogev=",m,"&ogf=",l,"&ogp=",q,"&ogrp=",n,"&o
                                                      2022-08-05 09:58:21 UTC33INData Raw: 3b 6d 62 28 22 67 62 64 34 22 2c 55 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 61 63 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 69 65 72 74 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 53 74 61 6e 64 61 72 64 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 5a 62 2c 70 70 6c 3a 68 2e 61 28 22 22 29 2c 70 70 61 3a 68 2e 61 28 22 22 29 2c 0a 70 70 6d 3a 22 47 6f 6f 67 6c 65 2b 20 53 65 69 74 65 22 7d 3b 76 2e 70
                                                      Data Ascii: ;mb("gbd4",Ub);if(h.a("")){var ac={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegiert)",md:"%1$s (Standard)",mh:"220",s:"1",pp:Zb,ppl:h.a(""),ppa:h.a(""),ppm:"Google+ Seite"};v.p
                                                      2022-08-05 09:58:21 UTC34INData Raw: 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6d 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 6a 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 2c 6b 63 28 29 3f 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 62 2c 63 29 3a 6c 63 28 61 29 26 26 28 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 62 2c 63 29 2c 61 2e 73 61 76 65 28 61 2e 69 64
                                                      Data Ascii: "==typeof e.localStorage}catch(a){return!1}},lc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},mc=function(a,b,c,d){try{jc(document)||(d||(b="og-up-"+b),kc()?e.localStorage.setItem(b,c):lc(a)&&(a.setAttribute(b,c),a.save(a.id
                                                      2022-08-05 09:58:21 UTC35INData Raw: 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6c 3b 28 6c 3d 6b 5b 6d 2b 2b 5d 29 26 26 22 6d 22 21 3d 6c 5b 30 5d 26 26 21 6c 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6c 26 26 28 73 61 28 32 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d 3c 6b 2e 6c 65 6e 67 74 68 26 26 73 65 74 54 69 6d 65 6f 75 74 28 61 2c 30 29 7d 66 75 6e 63 74 69 6f 6e 20 62 28 29 7b 30 3c 66 2d 2d 3f 73 65 74 54 69 6d 65 6f 75 74 28 62 2c 30 29 3a 61 28 29 7d 76 61 72 20 63 3d 68 2e 61 28 22 31 22 29 2c 64 3d 68 2e 61 28 22 22 29 2c 66 3d 33 2c 6b 3d 77 2c 6d 3d 30 2c 6e 3d 77 69 6e 64 6f 77 2e 67 62 61 72 4f 6e 52 65
                                                      Data Ascii: c(){function a(){for(var l;(l=k[m++])&&"m"!=l[0]&&!l[1].auto;);l&&(sa(2,l[0]),l[1].url&&ra(l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m<k.length&&setTimeout(a,0)}function b(){0<f--?setTimeout(b,0):a()}var c=h.a("1"),d=h.a(""),f=3,k=w,m=0,n=window.gbarOnRe
                                                      2022-08-05 09:58:21 UTC36INData Raw: 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76 61 72 20 67 3d 66 2e 63 28 22 31 22 2c 30 29 2c 68 3d 2f 5c 62 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 67 29 2c 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 61 29 3b 62 26 26 66 2e 6c 28 62 2c 68 2e 74 65 73 74 28 62 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 3b 63 26 26 66 2e 6b 28 63 2c 68 2e 74 65 73 74 28 63 2e 63 6c 61 73 73 4e 61 6d
                                                      Data Ascii: che-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;var g=f.c("1",0),h=/\bgbmt\b/,k=function(a){try{var b=document.getElementById("gb_"+g),c=document.getElementById("gb_"+a);b&&f.l(b,h.test(b.className)?"gbm0l":"gbz0l");c&&f.k(c,h.test(c.classNam
                                                      2022-08-05 09:58:21 UTC38INData Raw: 22 2b 68 5b 30 5d 29 3b 66 6f 72 28 76 61 72 20 6c 3b 68 2e 6c 65 6e 67 74 68 26 26 28 6c 3d 68 2e 73 68 69 66 74 28 29 29 3b 29 68 2e 6c 65 6e 67 74 68 7c 7c 76 6f 69 64 20 30 3d 3d 3d 67 3f 6b 3d 6b 5b 6c 5d 26 26 6b 5b 6c 5d 21 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f
                                                      Data Ascii: "+h[0]);for(var l;h.length&&(l=h.shift());)h.length||void 0===g?k=k[l]&&k[l]!==Object.prototype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Autho
                                                      2022-08-05 09:58:21 UTC39INData Raw: 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4d 61 70 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 64 65 26 74 61 62 3d 77 38 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 50 6c 61 79 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 33 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77
                                                      Data Ascii: n class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=de&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="https://ww
                                                      2022-08-05 09:58:21 UTC40INData Raw: 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 34 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 6c 65 6e 64 61 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 61 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 4b 61 6c 65 6e 64 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 35 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 6e 73 6c 61 74 65 2e 67 6f 6f 67 6c 65 2e 64 65 2f 3f 68 6c 3d 64 65 26 74 61 62 3d 77 54 22 3e dc 62 65 72 73 65 74 7a 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 31 30 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
                                                      Data Ascii: bmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Kalender</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="https://translate.google.de/?hl=de&tab=wT">bersetzer</a></li><li class=gbmtc><a class=gbmt id=gb_10 href="https:/
                                                      2022-08-05 09:58:21 UTC42INData Raw: 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 67 3e 3c 68 32 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 74 61 72 67 65 74 3d 5f 74 6f 70 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 53 65 72 76 69 63 65 4c 6f 67 69 6e 3f 68 6c 3d 64 65 26 70 61 73 73 69 76 65 3d 74 72 75 65 26 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 26 65 63 3d 47 41 5a 41 41 51
                                                      Data Ascii: iv></div></div></li></ol></div><div id=gbg><h2 class=gbxx>Account Options</h2><span class=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=https://www.google.com/&ec=GAZAAQ
                                                      2022-08-05 09:58:21 UTC43INData Raw: 6c 70 28 29 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 63 65 6e 74 65 72 3e 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 77 68 69 74 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 63 6f 6c 6f 72 5f 32 37 32 78 39 32 64 70 2e 70 6e 67 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 38 70 78 20 30 20 31 34 70 78 22 20 77 69 64 74 68 3d 22 32 37 32 22 20 69 64 3d 22 68 70 6c 6f 67 6f 22 3e 3c 62 72 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 66
                                                      Data Ascii: lp()</script></div></div><center><br clear="all" id="lgpd"><div id="lga"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><f
                                                      2022-08-05 09:58:21 UTC44INData Raw: 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 2f 64 6f 6f 64 6c 65 73 2f 27 3b 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 41 4a 69 4b 30 65 38 41 41 41 41 41 59 75 7a 33 7a 54 4d 71 5a 5a 39 2d 70 31 35 6c 52 7a 57 49 79 66 72 5f 63 31 4e 63 4b 70 59 38 22 20 6e 61 6d 65 3d 22 69 66 6c 73 69 67 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 74 64 20 63 6c 61 73 73 3d 22 66 6c 20 73 62 6c 63 22 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 20 6e 6f 77 72 61 70 3d 22 22 20 77 69 64 74 68 3d 22 32 35 25 22 3e 3c 61 20 68 72 65 66 3d 22 2f 61 64 76 61 6e 63 65 64 5f 73 65 61 72 63 68 3f 68 6c 3d 64 65 26 61 6d 70 3b 61 75 74 68 75 73 65 72 3d 30 22 3e 45 72 77 65 69
                                                      Data Ascii: op.location='/doodles/';};})();</script><input value="AJiK0e8AAAAAYuz3zTMqZZ9-p15lRzWIyfr_c1NcKpY8" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=de&amp;authuser=0">Erwei
                                                      2022-08-05 09:58:21 UTC45INData Raw: 43 43 6b 31 69 59 30 4c 6e 58 34 44 66 72 6f 58 67 33 5a 6a 43 6c 71 51 25 33 44 22 3e 47 6f 6f 67 6c 65 2e 64 65 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 22 3e 26 63 6f 70 79 3b 20 32 30 32 32 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 64 65 2f 70 6f 6c 69 63 69 65 73 2f 70 72 69 76 61 63 79 2f 22 3e 44 61 74 65 6e 73 63 68 75 74 7a 65 72 6b 6c e4 72 75 6e 67 3c 2f 61 3e 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 64 65 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 4e 75 74 7a 75 6e 67 73 62 65 64 69 6e 67 75 6e 67 65 6e 3c 2f 61 3e 3c 2f 70 3e 3c 2f 73 70 61 6e 3e 3c 2f 63 65 6e 74 65 72 3e 3c 73 63 72 69 70
                                                      Data Ascii: CCk1iY0LnX4DfroXg3ZjClqQ%3D">Google.de</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2022 - <a href="/intl/de/policies/privacy/">Datenschutzerklrung</a> - <a href="/intl/de/policies/terms/">Nutzungsbedingungen</a></p></span></center><scrip
                                                      2022-08-05 09:58:21 UTC47INData Raw: 6f 61 64 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 28 22 6c 6f 61 64 22 2c 22 78 6a 73 6c 73 22 29 3b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 3b 76 61 72 20 63 3d 22 53 43 52 49 50 54 22 3b 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 22 3d 3d 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70 65 26 26 28 63 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 63 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 63 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 67 29 7b 62 3d 6e 75 6c 6c 3b 76 61 72 20 6b 3d 64 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22
                                                      Data Ascii: oad&&google.tick&&google.tick("load","xjsls");var b=document;var c="SCRIPT";"application/xhtml+xml"===b.contentType&&(c=c.toLowerCase());c=b.createElement(c);if(void 0===g){b=null;var k=d.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolicy("goog#html"
                                                      2022-08-05 09:58:21 UTC48INData Raw: 78 32 32 6a 73 6f 6e 70 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6c 6d 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6d 73 67 73 5c 78 32 32 3a 7b 5c 78 32 32 63 69 62 6c 5c 78 32 32 3a 5c 78 32 32 53 75 63 68 65 20 6c f6 73 63 68 65 6e 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 4d 65 69 6e 74 65 73 74 20 64 75 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 41 75 66 20 67 75 74 20 47 6c fc 63 6b 21 5c 78 32 32 2c 5c 78 32 32 6c 6d 6c 5c 78 32 32 3a 5c 78 32 32 57 65 69 74 65 72 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 45 69 6e 67 61 62 65 74 6f 6f 6c 73 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 44 69 65 73 65 20 53 75 63 68
                                                      Data Ascii: x22jsonp\x22:true,\x22lm\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Suche lschen\x22,\x22dym\x22:\x22Meintest du:\x22,\x22lcky\x22:\x22Auf gut Glck!\x22,\x22lml\x22:\x22Weitere Informationen\x22,\x22oskt\x22:\x22Eingabetools\x22,\x22psrc\x22:\x22Diese Such
                                                      2022-08-05 09:58:21 UTC49INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.349744142.250.185.196443C:\Users\user\Desktop\4EBE6@3.exe
                                                      TimestampkBytes transferredDirectionData
                                                      2022-08-05 09:58:39 UTC49OUTGET / HTTP/1.1
                                                      Host: www.google.com
                                                      Connection: Keep-Alive
                                                      2022-08-05 09:58:39 UTC49INHTTP/1.1 200 OK
                                                      Date: Fri, 05 Aug 2022 09:58:39 GMT
                                                      Expires: -1
                                                      Cache-Control: private, max-age=0
                                                      Content-Type: text/html; charset=ISO-8859-1
                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                      Server: gws
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Set-Cookie: AEC=AakniGOAL6F9KPEZAKOJKonBHQENoNTVXP9k6XPyVReh2m3WEQaw1lYh4A; expires=Wed, 01-Feb-2023 09:58:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                      Set-Cookie: __Secure-ENID=6.SE=JwBdYDAvxPuGuQMM-KmJ5Zc55RvTPU92IHdr1tblJ3F-67_sInM0z2G6b_fYg474_LU89jb7lVPdPI3SlIdYWqfmCNS2uTXD0reCEruLhnt1TG5sYE_Ihl7STyBV_gMfnQtDTBIbdTh3TYS48WDj7tAfANMX7RbajrZmBPSYFsQ; expires=Tue, 05-Sep-2023 02:16:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                      Set-Cookie: CONSENT=PENDING+795; expires=Sun, 04-Aug-2024 09:58:39 GMT; path=/; domain=.google.com; Secure
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2022-08-05 09:58:39 UTC50INData Raw: 35 36 61 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74
                                                      Data Ascii: 56a6<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="de"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content
                                                      2022-08-05 09:58:39 UTC50INData Raw: 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 36 48 58 4e 59 6d 71 4a 4f 67 6f 47 6c 31 75 59 50 45 51 58 48 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 7a 2d 6e 73 59 74 4f 44 43 61 4b 7a 35 4e 6f 50 70 49 71 49 36 41 67 27 2c 6b 45 58 50 49 3a 27 30 2c 31 33 30 32 35 33 36 2c 35 36 38 37 33 2c 36 30 35 39 2c 32 30 36 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c 32 34 36 2c 35 2c 35 33 36 37 2c
                                                      Data Ascii: ="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="6HXNYmqJOgoGl1uYPEQXHg">(function(){window.google={kEI:'z-nsYtODCaKz5NoPpIqI6Ag',kEXPI:'0,1302536,56873,6059,206,4804,2316,383,246,5,5367,
                                                      2022-08-05 09:58:39 UTC51INData Raw: 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 64 65 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6c 65 69 64
                                                      Data Ascii: google.sn='webhp';google.kHL='de';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid
                                                      2022-08-05 09:58:39 UTC53INData Raw: 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63 7c 7c 22 71 22 3d 3d 3d 63 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21
                                                      Data Ascii: .push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c||"q"===c&&!a.elements.q.value?!
                                                      2022-08-05 09:58:39 UTC54INData Raw: 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62
                                                      Data Ascii: te;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebeb
                                                      2022-08-05 09:58:39 UTC55INData Raw: 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70
                                                      Data Ascii: nd:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2p
                                                      2022-08-05 09:58:39 UTC56INData Raw: 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36
                                                      Data Ascii: ckground-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6
                                                      2022-08-05 09:58:39 UTC58INData Raw: 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64
                                                      Data Ascii: lor:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited
                                                      2022-08-05 09:58:39 UTC59INData Raw: 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 37 70 78 7d 23 67 62 64 34 20 2e 67 62 70 67 73 20 2e 67
                                                      Data Ascii: elative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .g
                                                      2022-08-05 09:58:39 UTC60INData Raw: 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 36 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
                                                      Data Ascii: -left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block;padding-right:10px;margin-bottom:6px;margin-to
                                                      2022-08-05 09:58:39 UTC61INData Raw: 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62
                                                      Data Ascii: d #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1)}.gbqfb::-moz-focus-inner,.gb
                                                      2022-08-05 09:58:39 UTC63INData Raw: 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78
                                                      Data Ascii: 0fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-color:inherit;-webkit-box-shadow:inset 0 1px 2px
                                                      2022-08-05 09:58:39 UTC64INData Raw: 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 62 66 62 66 62 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61
                                                      Data Ascii: f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#fbfbfb));background-image:-webkit-linea
                                                      2022-08-05 09:58:39 UTC65INData Raw: 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70 78 7d 23 67 62 6d 6d 7b 6d 61 78 2d 68 65 69 67 68 74 3a 35 33 30 70 78 7d 2e 67 62 73 62 7b 2d
                                                      Data Ascii: 0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220px}#gbmm{max-height:530px}.gbsb{-
                                                      2022-08-05 09:58:39 UTC67INData Raw: 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61
                                                      Data Ascii: bkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0)));background-image:-webkit-linea
                                                      2022-08-05 09:58:39 UTC68INData Raw: 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 32 70 78 7d 2e 6c 73
                                                      Data Ascii: sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#WqQANb a{display:inline-block;margin:0 12px}.ls
                                                      2022-08-05 09:58:39 UTC69INData Raw: 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 66 5d 2c 63 2b 3d 22 26 63 61 64 3d 22 2b 62 28 66 3f 66 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 63 2b 3d 22 26 6a 73 65 6c 3d 22 2b 65 3b 66 6f 72 28 76 61 72 20 75 20 69 6e 20 64 29 63 2b 3d 22 26 22 2c 63 2b 3d 62 28 75 29 2c 63 2b 3d 22 3d 22 2c 63 2b 3d 62 28 64 5b 75 5d 29 3b 63 3d 63 2b 22 26 65 6d 73 67 3d 22 2b 62 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 63 3d 63 2b 22 26 6a 73 73 74 3d 22 2b 62 28 61 2e 73 74 61 63 6b 7c 7c 22 4e 2f 41 22 29 3b 31 32 32 38 38 3c 3d 63 2e 6c 65 6e 67 74 68 26 26 28 63 3d 63 2e 73 75 62 73 74 72 28 30 2c 31 32 32 38
                                                      Data Ascii: Element.outerHTML.split("\n")[f],c+="&cad="+b(f?f.substring(0,300):"No script found.")));c+="&jsel="+e;for(var u in d)c+="&",c+=b(u),c+="=",c+=b(d[u]);c=c+"&emsg="+b(a.name+": "+a.message);c=c+"&jsst="+b(a.stack||"N/A");12288<=c.length&&(c=c.substr(0,1228
                                                      2022-08-05 09:58:39 UTC70INData Raw: 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c 6d 3d 63 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68 2e 69 3d 61 61 3b 76 61 72 20 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 68 61
                                                      Data Ascii: y(this,arguments),m=c.apply(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h.i=aa;var r=window.gbar.i.i;var t=function(){},ha
                                                      2022-08-05 09:58:39 UTC72INData Raw: 65 37 0d 0a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22 62 6e 63 22 2c 77 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 42 29 3b 70 28 22 71 64 22 2c 78 29 3b 70 28 22 6c 62 22 2c 44 29 3b 70 28 22 6d 63 66 22 2c 70 61 0d 0a
                                                      Data Ascii: e7a=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("bnc",w);p("qGC",ta);p("qm",B);p("qd",x);p("lb",D);p("mcf",pa
                                                      2022-08-05 09:58:39 UTC72INData Raw: 36 38 34 33 0d 0a 29 3b 70 28 22 62 63 66 22 2c 6f 61 29 3b 70 28 22 61 71 22 2c 41 29 3b 70 28 22 6d 64 64 22 2c 22 22 29 3b 0a 70 28 22 68 61 73 22 2c 71 61 29 3b 70 28 22 74 72 68 22 2c 76 61 29 3b 70 28 22 74 65 76 22 2c 73 61 29 3b 69 66 28 68 2e 61 28 22 6d 3b 2f 5f 2f 73 63 73 2f 61 62 63 2d 73 74 61 74 69 63 2f 5f 2f 6a 73 2f 6b 3d 67 61 70 69 2e 67 61 70 69 2e 65 6e 2e 74 39 7a 37 56 50 73 45 4d 46 67 2e 4f 2f 64 3d 31 2f 72 73 3d 41 48 70 4f 6f 6f 38 6f 44 5f 35 46 51 57 33 6b 54 33 6b 73 57 77 6d 58 49 57 76 68 68 71 62 4b 64 77 2f 6d 3d 5f 5f 66 65 61 74 75 72 65 73 5f 5f 22 29 29 7b 76 61 72 20 46 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 77 61 3f 61 7c 7c 62 3a 62 7d 2c 78 61 3d 68 2e 61 28 22 31 22 29 2c 79 61 3d 68
                                                      Data Ascii: 6843);p("bcf",oa);p("aq",A);p("mdd","");p("has",qa);p("trh",va);p("tev",sa);if(h.a("m;/_/scs/abc-static/_/js/k=gapi.gapi.en.t9z7VPsEMFg.O/d=1/rs=AHpOoo8oD_5FQW3kT3ksWwmXIWvhhqbKdw/m=__features__")){var F=function(a,b){return wa?a||b:b},xa=h.a("1"),ya=h
                                                      2022-08-05 09:58:39 UTC73INData Raw: 61 74 68 2e 72 6f 75 6e 64 28 31 2f 46 61 29 2c 22 26 6f 67 65 76 3d 22 2c 64 28 22 7a 2d 6e 73 59 73 2d 4f 43 73 4c 54 79 74 4d 50 72 76 43 69 71 41 77 22 29 2c 22 26 6f 67 66 3d 22 2c 67 2e 62 76 2e 66 2c 22 26 6f 67 72 70 3d 22 2c 64 28 22 22 29 2c 22 26 6f 67 76 3d 22 2c 64 28 22 34 36 34 34 33 35 35 39 35 2e 30 22 29 2c 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 37 30 36 2e 30 5f 70 30 22 29 2c 22 26 6f 67 64 3d 22 2c 64 28 22 63 6f 6d 22 29 2c 22 26 6f 67 63 3d 22 2c 64 28 22 44 45 55 22 29 2c 22 26 6f 67 6c 3d 22 2c 64 28 22 64 65 22 29 5d 3b 62 2e 5f 73 6e 26 26 28 62 2e 5f 73 6e 3d 0a 22 6f 67 2e 22 2b 62 2e 5f 73 6e 29 3b 66 6f 72 28 76 61 72 20 6b 20 69 6e 20 62 29 66 2e 70 75 73 68 28 22 26 22
                                                      Data Ascii: ath.round(1/Fa),"&ogev=",d("z-nsYs-OCsLTytMPrvCiqAw"),"&ogf=",g.bv.f,"&ogrp=",d(""),"&ogv=",d("464435595.0"),"&oggv="+d("es_plusone_gc_20220706.0_p0"),"&ogd=",d("com"),"&ogc=",d("DEU"),"&ogl=",d("de")];b._sn&&(b._sn="og."+b._sn);for(var k in b)f.push("&"
                                                      2022-08-05 09:58:39 UTC74INData Raw: 2e 65 6e 5f 55 53 2e 62 6d 48 52 47 50 74 37 41 4d 77 2e 44 55 22 29 3b 61 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 72 61 28 61 29 7d 3b 70 28 22 63 61 22 2c 4a 29 3b 70 28 22 63 72 22 2c 4b 29 3b 70 28 22 63 63 22 2c 48 29 3b 68 2e 6b 3d 4a 3b 68 2e 6c 3d 4b 3b 68 2e 6d 3d 48 3b 68 2e 6e 3d 4d 61 3b 68 2e 70 3d 4f 61 3b 68 2e 71 3d 4e 61 3b 76 61 72 20 50 61 3d 5b 22 67 62 5f 37 31 22 2c 22 67 62 5f 31 35 35 22 5d 2c 51 61 3b 66 75 6e 63 74 69 6f 6e 20 52 61 28 61 29 7b 51 61 3d 61 7d 66 75 6e 63 74 69 6f 6e 20 53 61 28 61 29 7b 76 61 72 20 62 3d 51 61 26 26 21 61 2e 68 72 65 66 2e 6d 61 74 63 68 28 2f 2e 2a 5c 2f 61 63 63 6f 75 6e 74 73 5c 2f 43 6c 65 61 72 53 49 44 5b 3f 5d 2f 29 26 26 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 51 61 28 29 29
                                                      Data Ascii: .en_US.bmHRGPt7AMw.DU");a=a.join("");ra(a)};p("ca",J);p("cr",K);p("cc",H);h.k=J;h.l=K;h.m=H;h.n=Ma;h.p=Oa;h.q=Na;var Pa=["gb_71","gb_155"],Qa;function Ra(a){Qa=a}function Sa(a){var b=Qa&&!a.href.match(/.*\/accounts\/ClearSID[?]/)&&encodeURIComponent(Qa())
                                                      2022-08-05 09:58:39 UTC76INData Raw: 3b 4f 3d 64 3b 4a 28 6b 2c 22 67 62 74 6f 22 29 7d 7d 7d 7d 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 74 67 28 61 2c 62 2c 21 30 29 7d 29 3b 62 62 28 61 29 7d 63 61 74 63 68 28 71 29 7b 72 28 71 2c 22 73 62 22 2c 22 74 67 22 29 7d 7d 2c 64 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 63 6c 6f 73 65 28 61 29 7d 29 7d 2c 65 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 72 64 64 28 61 29 7d 29 7d 2c 5a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 2c 63 3d 64 6f 63 75 6d 65 6e 74 2e 64 65 66 61 75 6c 74 56 69 65 77 3b 63 26 26 63 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 3f 28 61 3d 63 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 28 61 2c 22 22 29
                                                      Data Ascii: ;O=d;J(k,"gbto")}}}}B(function(){g.tg(a,b,!0)});bb(a)}catch(q){r(q,"sb","tg")}},db=function(a){B(function(){g.close(a)})},eb=function(a){B(function(){g.rdd(a)})},Za=function(a){var b,c=document.defaultView;c&&c.getComputedStyle?(a=c.getComputedStyle(a,"")
                                                      2022-08-05 09:58:39 UTC77INData Raw: 30 3b 64 3c 63 3b 64 2b 2b 29 69 66 28 48 28 61 2c 62 5b 64 5d 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 62 28 61 2c 62 2c 63 29 7d 2c 69 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 62 28 61 2c 22 67 62 65 22 2c 62 29 7d 2c 6a 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 63 6d 26 26 67 2e 70 63 6d 28 29 7d 29 7d 2c 6b 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 63 61 26 26 67 2e 70 63 61 28 29 7d 29 7d 2c 6c 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 66 2c 6b 2c 6d 2c 6e 2c 6c 2c 71 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 61 61 26 26 67 2e 70 61 61 28 61 2c
                                                      Data Ascii: 0;d<c;d++)if(H(a,b[d]))return!0;return!1},hb=function(a,b,c){gb(a,b,c)},ib=function(a,b){gb(a,"gbe",b)},jb=function(){B(function(){g.pcm&&g.pcm()})},kb=function(){B(function(){g.pca&&g.pca()})},lb=function(a,b,c,d,f,k,m,n,l,q){B(function(){g.paa&&g.paa(a,
                                                      2022-08-05 09:58:39 UTC78INData Raw: 65 61 72 54 69 6d 65 6f 75 74 28 71 62 29 7d 2c 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 69 6e 6e 65 72 22 2b 61 3b 61 3d 22 6f 66 66 73 65 74 22 2b 61 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 5b 62 5d 3f 77 69 6e 64 6f 77 5b 62 5d 3a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3f 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3a 30 7d 2c 76 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 21 31 7d 2c 77 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 21 21 4f 7d 3b 70 28 22 73 6f 22 2c 57 61 29 3b 70 28 22 73 6f 73 22 2c 56 61 29 3b 70 28 22 73 69 22 2c 58 61 29 3b
                                                      Data Ascii: earTimeout(qb)},ub=function(a){var b="inner"+a;a="offset"+a;return window[b]?window[b]:document.documentElement&&document.documentElement[a]?document.documentElement[a]:0},vb=function(){return!1},wb=function(){return!!O};p("so",Wa);p("sos",Va);p("si",Xa);
                                                      2022-08-05 09:58:39 UTC79INData Raw: 69 6f 6e 28 61 29 7b 43 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 41 28 22 70 77 22 2c 61 29 3b 44 28 22 70 77 22 29 7d 29 7d 3b 70 28 22 6c 50 57 22 2c 44 62 29 3b 77 2e 70 75 73 68 28 5b 22 70 77 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 70 77 6d 5f 34 35 66 37 33 65 34 64 66 30 37 61 30 65 33 38 38 62 30 66 61 31 66 33 64 33 30 65 37 32 38 30 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 46 62 3d 5b 5d 2c 47 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 46 62 5b 30 5d 3d 61 7d 2c 48 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 62 7c 7c 7b 7d 3b 62 2e 5f 73 6e 3d 22 70 77 22 3b 74 28 61 2c 62 29 7d 2c 49 62 3d 7b 73 69 67 6e 65 64 3a 46 62 2c 65 6c 6f 67 3a 48 62 2c 62 61 73 65 3a 22 68 74 74 70
                                                      Data Ascii: ion(a){Cb(function(){A("pw",a);D("pw")})};p("lPW",Db);w.push(["pw",{url:"//ssl.gstatic.com/gb/js/abc/pwm_45f73e4df07a0e388b0fa1f3d30e7280.js"}]);var Fb=[],Gb=function(a){Fb[0]=a},Hb=function(a,b){b=b||{};b._sn="pw";t(a,b)},Ib={signed:Fb,elog:Hb,base:"http
                                                      2022-08-05 09:58:39 UTC81INData Raw: 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78 3d 22 2c 6b 2c 22 26 6f 67 65 76 3d 22 2c 6d 2c 22 26 6f 67 66 3d 22 2c 6c 2c 22 26 6f 67 70 3d 22 2c 71 2c 22 26 6f 67 72 70 3d 22 2c 6e 2c 22 26 6f 67 73 72 3d 22 2c 63 2c 22 26 6f 67 76 3d 22 2c 45 2c 55 2c 22 26 6f 67 64 3d 22 2c 49 2c 22 26 6f 67 6c 3d 22 2c 56 2c 22 26 6f 67 63 3d 22 2c 57 2c 22 26 6f 67 75 73 3d 22 2c 79 5d 3b 69 66 28 62 29 7b 22 6f 67 77 22 69 6e 20 62 26 26 28 61 2e 70 75 73 68 28 22 26 6f 67 77 3d 22 2b 62 2e 6f 67 77 29 2c 64 65 6c 65 74 65 20 62 2e 6f 67 77 29 3b 66 3d 5b 5d 3b 66 6f 72 28 7a 20 69 6e 20 62 29 30 21 3d 66 2e 6c 65 6e 67 74 68 26 26 66 2e 70 75 73 68 28 22 2c 22 29 2c 66 2e 70 75 73 68 28 52 62 28 7a 29 29 2c 66 2e 70 75
                                                      Data Ascii: atyp=i&zx=",f,"&oge=",a,"&ogex=",k,"&ogev=",m,"&ogf=",l,"&ogp=",q,"&ogrp=",n,"&ogsr=",c,"&ogv=",E,U,"&ogd=",I,"&ogl=",V,"&ogc=",W,"&ogus=",y];if(b){"ogw"in b&&(a.push("&ogw="+b.ogw),delete b.ogw);f=[];for(z in b)0!=f.length&&f.push(","),f.push(Rb(z)),f.pu
                                                      2022-08-05 09:58:39 UTC82INData Raw: 74 61 6e 64 61 72 64 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 5a 62 2c 70 70 6c 3a 68 2e 61 28 22 22 29 2c 70 70 61 3a 68 2e 61 28 22 22 29 2c 0a 70 70 6d 3a 22 47 6f 6f 67 6c 65 2b 20 53 65 69 74 65 22 7d 3b 76 2e 70 72 66 3d 61 63 7d 3b 76 61 72 20 53 2c 62 63 2c 54 2c 63 63 2c 58 3d 30 2c 64 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 2e 69 6e 64 65 78 4f 66 29 72 65 74 75 72 6e 20 61 2e 69 6e 64 65 78 4f 66 28 62 2c 63 29 3b 69 66 28 41 72 72 61 79 2e 69 6e 64 65 78 4f 66 29 72 65 74 75 72 6e 20 41 72 72 61 79 2e 69 6e 64 65 78 4f 66 28 61 2c 62 2c 63 29 3b 66 6f 72 28 63 3d 6e 75 6c 6c 3d 3d 63 3f 30 3a 30 3e 63 3f 4d 61 74 68 2e 6d 61 78 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 63 29 3a 63 3b 63 3c 61 2e 6c 65
                                                      Data Ascii: tandard)",mh:"220",s:"1",pp:Zb,ppl:h.a(""),ppa:h.a(""),ppm:"Google+ Seite"};v.prf=ac};var S,bc,T,cc,X=0,dc=function(a,b,c){if(a.indexOf)return a.indexOf(b,c);if(Array.indexOf)return Array.indexOf(a,b,c);for(c=null==c?0:0>c?Math.max(0,a.length+c):c;c<a.le
                                                      2022-08-05 09:58:39 UTC83INData Raw: 75 70 2d 22 2b 62 29 2c 6b 63 28 29 3f 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 62 2c 63 29 3a 6c 63 28 61 29 26 26 28 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 62 2c 63 29 2c 61 2e 73 61 76 65 28 61 2e 69 64 29 29 29 7d 63 61 74 63 68 28 66 29 7b 66 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 66 2c 22 75 70 22 2c 22 73 70 64 22 29 7d 7d 2c 6e 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 74 72 79 7b 69 66 28 6a 63 28 64 6f 63 75 6d 65 6e 74 29 29 72 65 74 75 72 6e 22 22 3b 0a 63 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 3b 69 66 28 6b 63 28 29 29 72 65 74 75 72 6e 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65
                                                      Data Ascii: up-"+b),kc()?e.localStorage.setItem(b,c):lc(a)&&(a.setAttribute(b,c),a.save(a.id)))}catch(f){f.code!=DOMException.QUOTA_EXCEEDED_ERR&&r(f,"up","spd")}},nc=function(a,b,c){try{if(jc(document))return"";c||(b="og-up-"+b);if(kc())return e.localStorage.getIte
                                                      2022-08-05 09:58:39 UTC84INData Raw: 30 3c 66 2d 2d 3f 73 65 74 54 69 6d 65 6f 75 74 28 62 2c 30 29 3a 61 28 29 7d 76 61 72 20 63 3d 68 2e 61 28 22 31 22 29 2c 64 3d 68 2e 61 28 22 22 29 2c 66 3d 33 2c 6b 3d 77 2c 6d 3d 30 2c 6e 3d 77 69 6e 64 6f 77 2e 67 62 61 72 4f 6e 52 65 61 64 79 3b 69 66 28 6e 29 74 72 79 7b 6e 28 29 7d 63 61 74 63 68 28 6c 29 7b 72 28 6c 2c 22 6d 6c 22 2c 22 6f 72 22 29 7d 64 3f 70 28 22 6c 64 62 22 2c 61 29 3a 63 3f 63 61 28 77 69 6e 64 6f 77 2c 22 6c 6f 61 64 22 2c 62 29 3a 62 28 29 7d 70 28 22 72 64 6c 22 2c 72 63 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75
                                                      Data Ascii: 0<f--?setTimeout(b,0):a()}var c=h.a("1"),d=h.a(""),f=3,k=w,m=0,n=window.gbarOnReady;if(n)try{n()}catch(l){r(l,"ml","or")}d?p("ldb",a):c?ca(window,"load",b):b()}p("rdl",rc);}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(fu
                                                      2022-08-05 09:58:39 UTC86INData Raw: 67 62 5f 22 2b 61 29 3b 62 26 26 66 2e 6c 28 62 2c 68 2e 74 65 73 74 28 62 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 3b 63 26 26 66 2e 6b 28 63 2c 68 2e 74 65 73 74 28 63 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 7d 63 61 74 63 68 28 6c 29 7b 64 28 6c 2c 22 73 6a 22 2c 22 73 73 70 22 29 7d 67 3d 61 7d 2c 6d 3d 65 2e 71 73 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 61 2e 68 72 65 66 3b 76 61 72 20 63 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6d 61 74 63 68 28 2f 2e 2a 3f 3a 5c 2f 5c 2f 5b 5e 5c 2f 5d 2a 2f 29 5b 30 5d 3b 63 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5e 22 2b 63 2b 22 2f 73 65 61 72 63 68 5c 5c 3f 22 29 3b 28 62 3d 63
                                                      Data Ascii: gb_"+a);b&&f.l(b,h.test(b.className)?"gbm0l":"gbz0l");c&&f.k(c,h.test(c.className)?"gbm0l":"gbz0l")}catch(l){d(l,"sj","ssp")}g=a},m=e.qs,n=function(a){var b=a.href;var c=window.location.href.match(/.*?:\/\/[^\/]*/)[0];c=new RegExp("^"+c+"/search\\?");(b=c
                                                      2022-08-05 09:58:39 UTC87INData Raw: 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 77 69 6e 64 6f 77 2e 67 62 61 72 2e 72 64 6c 28 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66
                                                      Data Ascii: sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/window.gbar.rdl();}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();</script></head><body bgcolor="#f
                                                      2022-08-05 09:58:39 UTC88INData Raw: 73 3d 67 62 74 73 3e 50 6c 61 79 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 33 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 3f 67 6c 3d 44 45 26 74 61 62 3d 77 31 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 59 6f 75 54 75 62 65 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 34 32 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6e 65 77 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 74 61 62 3d 77 6e 22 3e 3c 73 70 61
                                                      Data Ascii: s=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="https://www.youtube.com/?gl=DE&tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</span></a></li><li class=gbt><a class=gbzt id=gb_426 href="https://news.google.com/?tab=wn"><spa
                                                      2022-08-05 09:58:39 UTC90INData Raw: 26 74 61 62 3d 77 54 22 3e dc 62 65 72 73 65 74 7a 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 31 30 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 6f 6f 6b 73 2e 67 6f 6f 67 6c 65 2e 64 65 2f 3f 68 6c 3d 64 65 26 74 61 62 3d 77 70 22 3e 42 6f 6f 6b 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 64 65 2f 73 68 6f 70 70 69 6e 67 3f 68 6c 3d 64 65 26 73 6f 75 72 63 65 3d 6f 67 26 74 61 62 3d 77 66 22 3e 53 68 6f 70 70 69 6e 67 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d
                                                      Data Ascii: &tab=wT">bersetzer</a></li><li class=gbmtc><a class=gbmt id=gb_10 href="https://books.google.de/?hl=de&tab=wp">Books</a></li><li class=gbmtc><a class=gbmt id=gb_6 href="https://www.google.de/shopping?hl=de&source=og&tab=wf">Shopping</a></li><li class=gbm
                                                      2022-08-05 09:58:39 UTC91INData Raw: 65 2e 63 6f 6d 2f 53 65 72 76 69 63 65 4c 6f 67 69 6e 3f 68 6c 3d 64 65 26 70 61 73 73 69 76 65 3d 74 72 75 65 26 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 26 65 63 3d 47 41 5a 41 41 51 22 20 6f 6e 63 6c 69 63 6b 3d 22 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 39 2c 7b 6c 3a 27 69 27 7d 29 22 20 69 64 3d 67 62 5f 37 30 20 63 6c 61 73 73 3d 67 62 67 74 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 67 62 67 73 34 20 63 6c 61 73 73 3d 67 62 74 73 3e 3c 73 70 61 6e 20 69 64 3d 67 62 69 34 73 31 3e 41 6e 6d 65 6c 64 65 6e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 74 20 67 62 74 62
                                                      Data Ascii: e.com/ServiceLogin?hl=de&passive=true&continue=https://www.google.com/&ec=GAZAAQ" onclick="gbar.logger.il(9,{l:'i'})" id=gb_70 class=gbgt><span class=gbtb2></span><span id=gbgs4 class=gbts><span id=gbi4s1>Anmelden</span></span></a></li><li class="gbt gbtb
                                                      2022-08-05 09:58:39 UTC92INData Raw: 32 78 39 32 64 70 2e 70 6e 67 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 38 70 78 20 30 20 31 34 70 78 22 20 77 69 64 74 68 3d 22 32 37 32 22 20 69 64 3d 22 68 70 6c 6f 67 6f 22 3e 3c 62 72 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 73 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 66 22 3e 3c 74 61 62 6c 65 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 3c 74 72 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 3c 74 64 20 77 69 64 74 68 3d 22 32 35 25 22 3e 26 6e 62 73 70 3b 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 6e 6f 77 72 61 70 3d 22 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 69 65 22 20 76 61 6c 75 65 3d 22 49 53 4f 2d 38 38 35 39 2d
                                                      Data Ascii: 2x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%">&nbsp;</td><td align="center" nowrap=""><input name="ie" value="ISO-8859-
                                                      2022-08-05 09:58:39 UTC93INData Raw: 65 66 74 22 20 6e 6f 77 72 61 70 3d 22 22 20 77 69 64 74 68 3d 22 32 35 25 22 3e 3c 61 20 68 72 65 66 3d 22 2f 61 64 76 61 6e 63 65 64 5f 73 65 61 72 63 68 3f 68 6c 3d 64 65 26 61 6d 70 3b 61 75 74 68 75 73 65 72 3d 30 22 3e 45 72 77 65 69 74 65 72 74 65 20 53 75 63 68 65 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 69 6e 70 75 74 20 69 64 3d 22 67 62 76 22 20 6e 61 6d 65 3d 22 67 62 76 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 76 61 6c 75 65 3d 22 31 22 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 36 48 58 4e 59 6d 71 4a 4f 67 6f 47 6c 31 75 59 50 45 51 58 48 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 61 2c 62 3d 22 31 22 3b 69 66 28 64 6f 63 75 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c
                                                      Data Ascii: eft" nowrap="" width="25%"><a href="/advanced_search?hl=de&amp;authuser=0">Erweiterte Suche</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="6HXNYmqJOgoGl1uYPEQXHg">(function(){var a,b="1";if(document&&document.getEl
                                                      2022-08-05 09:58:39 UTC95INData Raw: 72 65 66 3d 22 2f 69 6e 74 6c 2f 64 65 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 4e 75 74 7a 75 6e 67 73 62 65 64 69 6e 67 75 6e 67 65 6e 3c 2f 61 3e 3c 2f 70 3e 3c 2f 73 70 61 6e 3e 3c 2f 63 65 6e 74 65 72 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 36 48 58 4e 59 6d 71 4a 4f 67 6f 47 6c 31 75 59 50 45 51 58 48 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 63 64 6f 3d 7b 68 65 69 67 68 74 3a 37 35 37 2c 77 69 64 74 68 3a 31 34 34 30 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 57 69 64 74 68 2c 62 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 48 65 69 67 68 74 3b 69 66 28 21 61 7c 7c 21 62 29 7b 76 61 72 20 63 3d 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65
                                                      Data Ascii: ref="/intl/de/policies/terms/">Nutzungsbedingungen</a></p></span></center><script nonce="6HXNYmqJOgoGl1uYPEQXHg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.docume
                                                      2022-08-05 09:58:39 UTC96INData Raw: 6e 75 6c 6c 3b 76 61 72 20 6b 3d 64 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 65 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 65 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 65 7d 29 7d 63 61 74 63 68 28 71 29 7b 64 2e 63 6f 6e 73 6f 6c 65 26 26 64 2e 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 71 2e 6d 65 73 73 61 67 65 29 7d 67 3d 62 7d 65 6c 73 65 20 67 3d 62 7d 61 3d 28 62 3d 67 29 3f 62 2e 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 28 61 29 3a 61 3b 61 3d 6e 65 77 20 6c 28 61 2c 68 29 3b 63 2e 73 72 63 3d 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 6c 26
                                                      Data Ascii: null;var k=d.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolicy("goog#html",{createHTML:e,createScript:e,createScriptURL:e})}catch(q){d.console&&d.console.error(q.message)}g=b}else g=b}a=(b=g)?b.createScriptURL(a):a;a=new l(a,h);c.src=a instanceof l&
                                                      2022-08-05 09:58:39 UTC97INData Raw: 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 45 69 6e 67 61 62 65 74 6f 6f 6c 73 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 44 69 65 73 65 20 53 75 63 68 61 6e 66 72 61 67 65 20 77 75 72 64 65 20 61 75 73 20 64 65 69 6e 65 6d 20 5c 5c 75 30 30 33 43 61 20 68 72 65 66 5c 78 33 64 5c 5c 5c 78 32 32 2f 68 69 73 74 6f 72 79 5c 5c 5c 78 32 32 5c 5c 75 30 30 33 45 57 65 62 70 72 6f 74 6f 6b 6f 6c 6c 5c 5c 75 30 30 33 43 2f 61 5c 5c 75 30 30 33 45 20 65 6e 74 66 65 72 6e 74 2e 5c 78 32 32 2c 5c 78 32 32 70 73 72 6c 5c 78 32 32 3a 5c 78 32 32 45 6e 74 66 65 72 6e 65 6e 5c 78 32 32 2c 5c 78 32 32 73 62 69 74 5c 78 32 32 3a 5c 78 32 32 42 69 6c 64 65 72 73 75 63 68 65 5c 78 32 32
                                                      Data Ascii: Informationen\x22,\x22oskt\x22:\x22Eingabetools\x22,\x22psrc\x22:\x22Diese Suchanfrage wurde aus deinem \\u003Ca href\x3d\\\x22/history\\\x22\\u003EWebprotokoll\\u003C/a\\u003E entfernt.\x22,\x22psrl\x22:\x22Entfernen\x22,\x22sbit\x22:\x22Bildersuche\x22
                                                      2022-08-05 09:58:39 UTC98INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Click to jump to process

                                                      Target ID:1
                                                      Start time:11:58:17
                                                      Start date:05/08/2022
                                                      Path:C:\Users\user\Desktop\4EBE6@3.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\4EBE6@3.exe"
                                                      Imagebase:0x320000
                                                      File size:641536 bytes
                                                      MD5 hash:ADE71491B076CA7A43EFFAF0214DD030
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.343598917.0000000004ABC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low

                                                      Target ID:13
                                                      Start time:11:58:34
                                                      Start date:05/08/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\noise.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\noise.exe"
                                                      Imagebase:0x320000
                                                      File size:641536 bytes
                                                      MD5 hash:ADE71491B076CA7A43EFFAF0214DD030
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000D.00000002.533246648.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000D.00000002.540720727.0000000003F7B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low

                                                      Target ID:18
                                                      Start time:11:59:25
                                                      Start date:05/08/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      Imagebase:0x9b0000
                                                      File size:41064 bytes
                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000012.00000000.442229675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.574138944.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      Target ID:28
                                                      Start time:12:00:18
                                                      Start date:05/08/2022
                                                      Path:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
                                                      Imagebase:0x850000
                                                      File size:41064 bytes
                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:.Net C# or VB.NET
                                                      Antivirus matches:
                                                      • Detection: 0%, Metadefender, Browse
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:high

                                                      Target ID:29
                                                      Start time:12:00:19
                                                      Start date:05/08/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c9170000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      No disassembly